THREAT MODLING

Web Infomatrix Threat Modeling service is a key security analysis technique that can help development and management teams identify critical risks and make better security decisions. It is essentially a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through security glasses.
You benefit from :
  1. Reduce costs by removing maximum bugs before development.
  2. Solid Understanding Application Architecture.
  3. Systematically Identify and Rate threats.
  4. Aims to identify all possible threats to an applications.
  5. Methodology streamlined to minimize the impact to existing development process.
  6. Address rated threats with appropriate countermeasures.
  7. Identifies all misuse cases for an application.
  8. Provides a consistent methodology for objectively identifying and evaluating threats to applications.
  9. Translates technical risk to business impact.
  10. Does not require security subject matter expertise.
  11. Provides controls to eliminate/mitigate threats.
  12. Provide application specific countermeasures.
  13. Empower the business to manage risk.
  14. Methodology optimized for SDL-IT integration.
  15. Creates awareness of the security dependencies and assumptions.
Features :
  1. Reduce costs by removing maximum bugs before development.
  2. Solid Understanding Application Architecture.
  3. Systematically Identify and Rate threats.
  4. Aims to identify all possible threats to an applications.
  5. Methodology streamlined to minimize the impact to existing development process.
  6. Address rated threats with appropriate countermeasures.
  7. Identifies all misuse cases for an application.
  8. Provides a consistent methodology for objectively identifying and evaluating threats to applications.
  9. Translates technical risk to business impact.
  10. Does not require security subject matter expertise.
  11. Provides controls to eliminate/mitigate threats.
  12. Provide application specific countermeasures.
  13. Empower the business to manage risk.
  14. Methodology optimized for SDL-IT integration.
  15. Creates awareness of the security dependencies and assumptions.
Features :
Web Infomatrix security experts thoroughly assess application designs throughout the SDLC for both technical and non-technical perspective. This procedure helps optimize Network/Application/Internet Security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.
The result is a detailed report of findings and specific recommendations for remediating any vulnerabilities found.
Key Features :
  1. Thorough assessment of application designs that may jeopardize critical or sensitive data.
  2. Assesses application designs for vulnerabilities that may jeopardize the confidentiality, integrity and availability of critical or sensitive data.
  3. Functional review of the application from both a client and server perspective.
  4. Analysis performed by SB security experts who have a background in application development.
  5. Includes a mixture of the following: network security, host security, web security, application security.
  6. Detailed report providing recommendations for mitigating discovered risks.
Benefits :
Web Infomatrix threat modeling helps safeguard your organisation against failure, through:
  1. Minimize cost of fixing bugs after development.
  2. Early definition of potential security issues in your Applications before development.
  3. Translates technical risk to business impact.
  4. Reduce costs by removing maximum bugs before development.
  5. More focused Security Assessments.
  6. Provides a security strategy.
  7. Vital tool in ensuring the integrity and security of business applications..
  8. Prioritize security features.
  9. Benefit from our proprietary methods and processes.
  10. Translates vulnerabilities to business impact.
  11. Increases awareness of threats and makes it possible to take steps to secure the applications from unauthorized users taking advantage of flaws in programming which could enable them to access the application and use it maliciously.
  12. Bridges the gap between security teams and application teams.
  13. Industry-leading expertise, support and guidance from SB' security research and development team.
  14. Understand value of countermeasures.
  15. Compliance with federal and state regulations that require security awareness training.
  16. Acquire and maintain certifications to industry regulations (BS7799, HIPAA, OSSTMM, OWASP).
  17. Improved Security Awareness.
Technical Information :
Threat Modeling is a key and often under appreciated security analysis technique that development and management teams use to identify critical risks and make better security decisions. Whether performed on an existing application or throughout the software development lifecycle, Threat Modeling is an essential component of risk management because it helps quantify and visualize the otherwise intangible threats that an application carries. The time required to analyze a large number of applications is greatly reduced, while exposing REAL threats with minimal false positives. Furthermore it facilitates the co-operation between design decisions, implementation guidelines, testing activities and risk mitigation and produces a persistent and tangible asset that can be used at a later date when new risks are uncovered.
Threat Modeling of an Existing Application :
For many organisations, security is more of an afterthought and bolted on in the later stages of the software development lifecycle (SDLC). In this context, a threat model begins with identifying the applications features and user/attacker entry points, noting feature characteristics such as its relevancy to security and access level required to perform related tasks. These high-level threats are then broken down into sub-threats that can be more easily addressed and prioritized using various ranking techniques.
Threat Modeling in the Software Development Lifecycle (SDLC)
Proactive organisations integrate security at all stages of the SDLC and in doing so, threat analysis is used to its full potential. The process by which threats are characterized and ranked can be similar to the one described above, however the threat model will evolve as the product progresses through its lifecycle and be leveraged for decision making. For example, at the requirements/design phase, you might reject the addition of a feature because of the additional attack vectors it creates.
Our Approach :
Effective threat analysis requires security expertise as well as intimate knowledge of the application and implementation. We work closely with your team to ensure that we identify the full range of threats your application faces. Our process includes the following steps:
  1. Understand architecture and security requirements - The application is analyzed to determine what needs to be secured.
  2. Identify assets The system is divided into a series of assets. These represent items of value that you want to protect or than an attacker would like to get access to.
  3. Build an activity matrix - This is a set of explicit mappings that specify each role in the system including which assets the role has access to.
  4. Identify threats that put assets at risk - Threats are defined against each specific asset. Specific attention is given to confidentiality,  integrity and availability of each asset.
  5. Identify attacks that could be used to realize threats - Irrelevant threats are removed and the remaining threats are used to define attacks against the system.
  6. Identify testable conditions for each attack - Attack condition definitions are guided by the expertise of our security consultants in conjunction with client documentation and risk management teams.
Report :
After all Threat Modeling activities are completed, we will provide you with a Final Report that includes a summary of our top-level findings as well as the following:
  1. System Decomposition breaks the application into high level components, assets, and roles. This allows our engineers to achieve a coarse understanding of the interconnections of the system.
  2. Top Threats highlight the items with the largest potential for security impact.
  3. The Activity Matrix & Rules provides a full matrix for the interaction between assets and roles.
  4. Threat Trees list the attacks (grouped by assets) and the necessary conditions that need to be in place to make the attacks feasible.
Compliance :
Web Infomatrix Threat Modeling service can meet the requirements of many standards and guidelines in relation to information security. Our Testing team has working knowledge of the following standards and attempt to exceedingly meet their requirements.

1. PCI :
The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.

2.ISACA :
ISACA was established in 1967 and has become a pace-setting global organisation for information governance, control, security and audit professionals. Its IS Auditing and IS Control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.
3. CHECK :
The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. In the absence of other standards, CHECK has become the de-facto standard for penetration testing in the UK. This is mainly on account of its rigorous certification process. Whilst good it only concentrates on infrastructure testing and not application. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association. It must also be noted that CHECK consultants are only required when the assessment is for HMG or related parties, and meets the requirements above. If you want a CHECK test you will need to surrender your penetration testing results to CESG.
4. BS7799 :
BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards Institute (BSI) in 1995. It was written by the United Kingdom Government's Department of Trade and Industry (DTI), and after several revisions, was eventually adopted by ISO as ISO/IEC 17799. ISO/IEC 17799 was most recently revised in June 2005 and was renamed to ISO/IEC 27002 in July 2007. The BS 7799-2 focused on how to implement an Information security management system (ISMS), referring to the information security management structure and controls identified in BS 7799-2, which later became ISO/IEC 27001. The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality assurance model), aligning it with quality standards such as ISO 9000. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005. BS7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001.
5. HIPPA :
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. Administrative Simplification (AS) provisions of HIPPA, require the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The AS provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the US health care system.
Contact
Untitled Document
Want us to contact you?
Name:
Company
Phone
Email
Query Related to
Message
CAPTCHA Image
Testimonials
I just wanted to thank you guys for all the hard work you have done for me. my site looks amazing functionality is great..