1-866-PLYNT-24 | 
Why we love Threat Profiles
We create threat profiles almost every day. The more penetration tests we do, the more convinced we are that the completeness of a test hinges on the quality of the Threat Profile. Let’s look at Threat Profiles more closely.
A threat is the goal of an adversary. eg. “steal credit cards”, “siphon funds to a fake account”, “shut down the e-commerce site” etc.
A threat profile is the set of all threats the system should protect against. Note that a threat profile does not talk about issues the system is vulnerable to – all that comes later, after the test. The threat profile is simply a list of all the threats.
So, why is this important?
It starts from a predicament most security testers are familiar with. When you face an application, where do you begin testing? Do you just bang a scanner at it? Do you just pull out your checklist and start running through the tests? How do you begin?
You begin by building a Threat Profile.
Before you start “attacking”, you figure out what the goals of the attacker are. What would an adversary want to achieve in this app? Because, that is what you will also be looking for, and only that. You do not try every attack technique just because it’s there on your checklist; instead you will design test cases that achieve the adversary’s goals.
And there is another reason you want Threat Profiles handy. They help you zoom in to the interesting variables quickly. Here’s how: one of the banking applications we are currently testing has 250+ variables. Do we try every attack, on every variable? No, we just figure out what variables are relevant in the Threat Profile, and focus our efforts on manipulating them to break in. We don’t want to manipulate that “&lang=en” phrase. And we don’t want to waste cycles attempting a Cross Site Scripting attack on that “&pos=2” input. A brute force approach “every attack, on every variable” is expensive and unnecessary.
And that’s why we love Threats Profiles. They helps us focus on outcomes that are meaningful. And the test plan is much more valuable that way.
[We explained Threat modeling and Threat Profiles in the first issue of Palisade and reviewed Snyder and Swiderski’s book on the subject next month.]
Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.Add yours.closed for this post.
Monthly Archives
- June 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- April 2007
- March 2007
- February 2007
- January 2007
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
Syndication
You can read full entries of Palisade Blog using an RSS reader. Use this link —
