A threat is something that negatively impacts an asset. When it comes to information security, and especially application security, it's all about data.

The process of threat modeling systematically identifies all the different attack steps that could be implemented in an exploit. To perform threat modeling, we take the blueprint of an application system and walk through that blueprint to identify gaps and exploit paths.

If you want to look at it in the analog or physical world, the same process could be applied if an attacker or burglar is trying to break into a system. They would take the blueprint of the building, analyze it very carefully, and then try to figure out how they can get into the building through different routes.

And that is exactly what we want to achieve in terms of application security.

• During the discovery phase, we analyze the network architecture diagram or data flow diagram, just as we would analyze the blueprints of a building, and then determine all potential attack paths.

• Next, we perform threat modeling, which is part of a risk assessment process. Once we have identified the attack vectors, the next step is to perform a pentest.

• Pentesting actually tries to find out if it is possible to exploit these paths or if one of these attacks can be carried out.

• Finally, we assign risk levels based on the impact of these assets and the likelihood of an attack.

www.ForwardSecurity.com

#appsec #pentesting

Please take the opportunity to connect with your friends and family and share this video with them if you find it useful.