1

My understanding is that, threat modelling is used at the design stage to identify the possible threats, prioritize them and help in identifying security requirements/security controls. Vulnerability assessment is done during development and in maintenance also, where we scan the source code for vulnerabilities, prioritize and fix them. This link neatly explains my understanding.

But many other articles have put up the following ideas also.

  1. This link states CVSS as an threat modelling approach whereas CVSS is used in vulnerability assessment workflow to rate the vulnerability.
  2. Threat modelling can help in prioritizing vulnerabilities, focus on vulnerabilities which are most likely to affect your environment.

What is the link between vulnerability assessment and threat modelling? I am doing vulnerability assessment for OTS (off the shelf) software used in my system. I use CVSS 3.1 to score the vulnerability and prioritize fixing based on the score. In what way a threat model (like STRIDE or ATTACK TREE) can help in my vulnerability assessment.

Kumar
  • 191
  • 1
  • 4

1 Answers1

2

Answer based on personal experience.

Vulnerability Assessment := Do we have a software bug with a security implication? ie is there a bug in the source code that needs a patch?

Threat Model := What is the environment in which this bug exists? ie is the vulnerable code actually reachable in our application? Is it only reachable by trusted admins?

So you might come out with a conclusion like "According to the vulnerability assessment this is a bug and needs a patch, however according to the threat model it is not actually exploitable in our current deployment so the risk is low".

In my experience, CVEs sometimes do threat modelling, for example when the CVE is against a complete product and the deployment architecture and configuration is known (think github.com, or Windows). But often CVEs are filed against low-level libraries and frameworks (think openssl or struts) where the CVE can only say something like "If you use X functionality, then you may be vulnerable to ..." because the context for threat modelling depends on how different applications use this functionality.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • We do calculate the CVSS environmental score based on the actual configuration of the vulnerable software, network topology, actual CIA impact etc. We do this by pulling up the software architecture, specs, discussion with dev team. But can threat models do this in a better way? Do you have any links/articles/papers which explains this in detail? We are also looking to automate these scorings. Would threat modelling help in that? – Kumar Mar 10 '21 at 07:14
  • @Kumar I don't know how to do this is general; I'm speaking from my experience as a developer asking the question *"Is this CVE exploitable in our application?"* which is often a lot of code reading and manual testing of our applications. – Mike Ounsworth Mar 10 '21 at 14:20