Evaluation of OWASP Application Threat Modeling: Applied to production systems
Abstract
Developing secure software applications has become increasingly important over the last decades. Applications which initially were developed to operate in isolated networks are now exposed to the internet and vulnerable to exploitation. The OWASP community has been created to increase awareness regarding secure software. As part of this effort it has created a guide for determining and modeling concrete and potential threats to an application. The following report is an evaluation of whether the OWASP Application Threat Modeling methodology and guide can successfully be applied to a in-production system. It also addresses to what degree the guide is accessible enough for first time users and if the techniques utilized by the guide complement each other. To answers these questions, a case study was conducted where this methodology was applied to systems at ``Norwegian State Educational Loan Fund'' (Lånekassen). A pre study of relevant literature, papers and publications related to the development of secure software was undertaken in order to gather necessary background information and uncover previous studies within this field. In order to perform the case study, information about the Lånekassen systems was needed and therefore analysis of documentation and source code was performed. Additional information and verification was obtained through interviews with system experts. During the execution of OWASP Application Threat Modeling, several artifacts were produced. These artifacts were used to develop the threat model of the system. Possible threats, analysis of threats and both current and possible mitigations were documented. The case study and analysis of the methodology revealed that the threat modeling guide is far too open ended to be easily accessible and usable for newcomers. In relation to applying OWASP Application Threat Modeling to a in-production system, it was found that it requires a high level of involvement from systems experts and other stakeholders to generate relevant results. The various techniques used in the guide mostly complement each other well, but this characteristic does at times seem challenging to grasp.