Exercise threat modeling
Security can't be a separate department in a silo. It also can't be added at the end of a project. Security must be part of DevOps, and together they're called DevSecOps.
The biggest weakness is not knowing the flaw in your solution. Microsoft has created a threat modeling tool to remediate it, which helps you understand potential security vulnerabilities in your solution.
The Threat Modeling Tool is a core element of the Microsoft Security Development Life cycle (SDL).
It allows software architects to identify and mitigate potential security issues early when they're relatively easy and cost-effective to resolve.
As a result, it dramatically reduces the total cost of development.
The tool has been designed with non-security experts in mind, making threat modeling easier for all developers by providing clear guidance on creating and analyzing threat models.
The tool enables anyone to:
- Communicate about the security design of their systems.
- Analyze those designs for potential security issues using a proven methodology.
- Suggest and manage mitigations for security issues.
In this exercise, we'll see how easy it's to use the Threat Modeling tool to see potential vulnerabilities in your infrastructure solution that one should consider when provisioning and deploying the Azure resources and the application solution into the solution.
Getting started
- Download and install the Threat Modeling tool.
How to do it
Launch the Microsoft Threat Modeling Tool and choose the option to Create a Model.
From the right panel, search and add
Azure App Service Web App
andAzure SQL Database
, and link them up to show a request and response flow, as demonstrated in the following image.From the toolbar menu, select View -> Analysis view. The analysis view will show you a complete list of threats categorized by severity.
To generate a full report of the threats, select Reports -> Create a full report from the toolbar menu, and select a location to save the report.
A full report is generated with details of the threat, the SLDC phase it applies to, possible mitigation, and links to more information.
There's more
You can find a complete list of threats used in the threat modeling tool here.