1

We are planning to lay out guidelines in our organisation for everyone to follow a secure software development lifecycle. As part of this, we plan to adopt the security knowledge framework (SKF) that provides a checklist based on the ASVS standard to determine security requirements.

By specifying the maturity level and selecting the right category, the framework brings down the hundreds of checkpoints to just a few security requirements that the team can then implement.

After adopting the ASVS standard do we need to perform threat-modelling? If so, what value would it add assuming the security requirements determined through ASVS checklist cover the possible threats?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Andy Dufresne
  • 111
  • 2
  • Writing good code is only a part of what is needed for secure software development. How would you know if SKF is enough for your needs if you do not build a threat model and do not do a risk assessment of your whole software development process? – A. Hersean Dec 16 '21 at 13:54

1 Answers1

2

After adopting the ASVS standard do we need to perform threat-modelling?

Threat modeling is part of this framework. See section 1.1.2:

1.1.2 Verify the use of threat modeling for every design change or sprint planning to identify threats, plan for countermeasures, facilitate appropriate risk responses, and guide security testing.

So, yes, you should be threat modelling.

If so, what value would it add assuming the security requirements determined through ASVS checklist cover the possible threats?

The value is basically in the model itself.

Compare, for example, to a system model: You have a model of your system (system model) that you can use to help understand your system, discuss your system, describe your system, etc.

Similarly, if you want to be able to understand, discuss, and describe the threats you need a model of the threats (threat model).

The value of any model (threat/system/etc) is increased by increasing the model's correspondence to the actual facts. That is, you want your model to be simple enough to discuss and write down, but you also want it to accurately capture the facts as realistically as possible.

If you are having trouble getting started, I would suggest you first create a model/diagram of your system that shows the components, data transfers, etc. And then for each component, etc, you can apply STRIDE to brainstorm threats.

hft
  • 4,910
  • 17
  • 32
  • I am new to app sec so my question was what value would threat modelling add if the team has already fixed SAST/DAST reports and coded the security requirements mentioned in ASVS through SKF. I understand that threat modelling is mentioned in the ASVS checklist but since it involves a learning curve I wanted to see if we can quantify this effort. Is there some % we can derive indicating how many security threats could be caught through ASVS or threat modelling. I need to convince my organization to go through this exercise which in my past organization wasn't successful. – Andy Dufresne Dec 22 '21 at 07:01
  • SAST/DAST reports might help you fix bugs, but they don't help you understand the threats to your system. These report also don't help you much, if at all, with respect to security flaws in your architecture. A mature organization will do more than run some automated tool and call it a day. But, it seems like most organization would rather convince themselves otherwise. – hft Dec 22 '21 at 18:28