Home > Subjects > IT/Technology > Threat Modelling and Analysis During Software Development

Threat Modelling and Analysis During Software Development


Topic: Comprehensive study on threat modelling and analysis during software development


Threat modelling is an organized way to recognize, evaluate and address the security risk related to an application. Incorporating the threat shows in the SDLC expands the security at an initial phase of building up an application. Threat modelling procedure can be formed into three stages: Application Decomposition, Threats & ranks determination & deciding about the mitigation and countermeasures. The fundamental target of threat modelling is limiting risk & related effects. In numerous associations, the security of an application is regularly tended to after the deployment. Over 70% of deposits, vulnerabilities exist at the application layer and not at the framework or system layer [1].


Recognizing security issues in software before these issues are uncovered into the production environment is an essential factor for relieving the likelihood and effect of a threat agent​​ focusing on these vulnerabilities. When security issues are recognized, the subsequent stage is to decide the seriousness of the exposure, likely, to determine the probability, effect, and whether these vulnerabilities should be remediated and how. Distinguishing the potential threats focusing on an application can begin first with investigating the potential threat agents, their intentions, and their objectives, such that the outcomes like business functionality & data that the application is expected to give. Fundamentally, this threat investigation comprises of leading a risk analysis of the application before the application is created. This threat examination can be founded on the high-level requirements depicting the business goals, such as the kind of​​ data and functionality described as essential to satisfy these business goals.

At this stage, it may be conceivable to characterize at a high level about the potential threats that may influence the functionalities & data, what's more, to decide some of the security requirements to alleviate the risk presented by these threats. Fundamentally, this implies inserting an activity of threat modelling to dissect these threats in the SDLC's early periods. The primary objective of implanting this threat modelling​​ is to recognize potential risks as right on time as conceivable with the goal that they can be overseen by outlining, executing, & testing countermeasures all through the SDLC [2].

Danger modelling can occur at the stage where the design is set up. Take it as it might, not all possibilities are optimal. Regardless of where a protection individual winds up with the performance of the hazard model, realise that the expense of solving problems progresses together with big increments in the SDLC. The sooner you are able to differentiate future attacks and squash such bugs, the more time and cost-productive these priorities would be. Bear in mind, and manufacturing defence is smarter in that it is about jolting defence on it. Be it as it might, once again, not all circumstances are flawless and not all programmes undergo a hazard simulation evaluation in the middle of their enhancement.

Although threat modelling can take place as early as can realistically be anticipated, regardless of how much closer an application is to the implementation point, it is always a beneficial operation. The production period of an application could have been achieved, but within the help period, hazard modelling may also be selected. In a framework, hazard modelling gives insight into possible faults. A careful evaluation advises your association about the present design level security position of an application. In this manner, an estimate is calculated to decide between putting further in that system through threat modelling.

Moreover, Threat modelling is a part of security risk examination, and it is usually directed by applying a particular approach to finding and modelling the threats [4]. The three fundamental ways to deal with threat modelling are software-centric, attacker-centric & asset-centric. The essential focal points of applying threat modelling in each of the SDLC phases are security requirements & testing, the secure design and secure release of the application after an occurrence. The extent of the threat modelling is​​ to survey the attacker's point of view of the architecture to decide whether the security controls set up are adequate to lessen the potential effect of attacks targeting the application and its data [1,2].

Problem Statement:

Before application development, the term threat modelling implies conducting a complete risk analysis of the application. However, such comment contains the information of the initial SDLC phases until the current stage and all sorts of potential threats that may influence the system in any way. There is a need to decide a portion of the security requirements that detect the danger proficiently. The real issue emerges here is how we can implant the threat modelling to distinguish the potential risks as quickly as time permits so they can be altogether overseen and specific countermeasures were taken for them during or before the entire SDLC phase; however, for such purpose, different approaches of threat modelling were used & it’s something a real issue for selecting the one or to depend​​ on some particular approach’s output.

Research Questions:

  • The thesis will be thoroughly based on these research questions:

  • How can we identify the threat modelling in the SDLC phases? [3]

  • How to combine the different techniques of threat​​ modelling?

  • For using an integrated threat modelling, what are the Pros & Cons?

Research Methodology:

Our Research is thoroughly based upon the academic literature & from the textbooks related to threat modelling. Moreover, we have adopted the methodology by studying the most common three approaches to threat modelling.

​​ All of these three approaches are focused on the software or assets, attackers. In our thesis work, we will propose a method to the threat modelling that will study all these approaches thoroughly & then integrate all of them that will be helpful in all of the phases of the SDLC.​​ 

​​ Moreover, to gather the qualitative data for our research, we have planned to conduct a case study. Finally, we will analyze the information we get to examine the​​ positive results we will get after integrating the three approaches.​​ 

As our methodology will be based on the combination of three approaches to threat modelling (asset-, the attacker- and software-centricS) that would be helpful in each phase of SDLC. The​​ proposed methodology will be designed generically to modify & combine some other threat modelling approaches that will point out in the future.

The Model:

Step by Step Elaboration

1st​​ Step (S1):

The very first step in the model shows us the cloud​​ that lets us know about the case under analysis for some scenarios found in SDLC containing the threat. However, the scenario case under investigation should be in diagram & text.

The second step shows how the case described in step one is analyzed in parallel using three different approaches. Even though the courses are various and are handled by other teams, they output attack trees. As mentioned above, the systems do not have to be an asset-, attacker and software-centric. It is possible to use more than​​ the three or other approaches as well.

2nd Step (S2):

When it comes to the second step, we came to know that the case described in the first step will be analyzed thoroughly by all three approaches of threat modelling. Although it is clear that all of these approaches are different from each other & worked by separate teams, they still output the attack trees. As already described, it's a generic model to use any of the approaches rather than the three ones (asset-, the attacker- and software-centric).

3rd​​ Step (S3):

Here comes the major 3rd step, which includes combining this step; the output we get from the three different approaches will be integrated into a threat scenarios complete model. The model's figure shows us the third approach (A3) output, which described the threat scenario that was found for the representation that is the same as of first approach node 1.2 (A1.2).

Henceforth the two trees were consolidated by replacement of A1.2 in tree A1 along with the tree from A3. Whereas the second approach output (A2) was found for the separation of some unrelated threat scenario to any of the other trees. That tree was in this manner repeated & pulled down beside the merged tree.

It must be noted that the step of merging is explicitly shown to figure & not the method generally. Moreover, which tree or trees ought to be merged relies upon the actual trees & the output of content that different approaches reveal.​​ 

Scope Limitation:
The scope of our topic & the methodology proposed in it is to analyze & to examine various ways to discover & model threat scenarios faces during SDLC. It doesn't utilize these threat scenarios further. It does, e.g. not cover the analysis of risk & how to mitigate the chance to enhance the security of SDLC. Threat evaluation is dependably a segment of risk analysis, which, e.g. additionally incorporates asset & impact evaluation.

Research Significance:

This research will help detect the threat in each & every phase of SDLC, so for this purpose, we have proposed to study thoroughly​​ about the three approaches of threat modelling & form a model that merges these approaches that will be helpful in threat analysis in SDLC.​​ 

Tool Analysis:

However, on the other hand, for some practical threat modelling of a system, we will explore one​​ of the latest threat-modelling tools in the market, "IRIUS RISK," which efficiently uses to provide a single integrated console to create a threat model. In contrast, this tool is quite similar to our methodology, so we decided to work on them. In comparison, this tool also allows us to manage application security risk throughout the SDLC [7].

  • [1] Threat Modeling Overview. (, 2015). Risk Centric Threat Modeling,1-62. doi: 10.1002/9781118988374.ch1

  • [2] Threat Modeling within the SDLC. (2015). Risk Centric Threat Modeling,195-234. doi: 10.1002/9781118988374.ch4

  • [3] Conklin, W. A. (n.d.). Threat Modeling and Secure Software Engineering Process. Handbook of Research on Information Security and Assurance,415-422. doi:10.4018/978-1-59904-855-0.ch036

  • [4] Maheshwari, V., & Prasanna, M. (2016). Integrating risk assessment and threat modeling within SDLC process. 2016 International Conference on Inventive Computation Technologies (ICICT). doi:10.1109/inventive.2016.7823275

  • [5] V., & Q. (2008). Threat modeling using attack trees. Journal of Computing Sciences in College,23(4), april 2008, 124-131. Retrieved from https://dl.acm.org/citation.cfm?id=1352100.

  • [6] Ucedavélez, T., & Morana, M. M. (2015). Risk Centric Threat Modeling. doi:10.1002/9781118988374

  • [7] C. (2018, August 21). IriusRisk - threat modeling tool. Retrieved from https://www.continuumsecurity.net/threat-modeling-tool/


Related Posts

Leave a Comment