Browse Prior Art Database

Method to Automatically Generate a Security Test Policy Based on Threat Modeling

IP.com Disclosure Number: IPCOM000240742D
Publication Date: 2015-Feb-25
Document File: 2 page(s) / 40K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method to leverage data resulting from a Threat Modeling tool to automatically construct a Security Test Policy that is appropriate for the application undergoing scans.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 2

Method to Automatically Generate a Security Test Policy Based on Threat Modeling

Automated security scanning of applications is a long and performance intensive operation . Many of the security tests sent do not apply to the application being scanned. This causes unnecessary costs for the test teams. For a large application, the number of security tests that are sent by a tool can be between one hundred thousand and a million , making the scanning activity last for

weeks.

To address this problem, security policies are used to allow the users to control the security tests that are being sent. In one existing product line, hard coded streamlined policies have been introduced to help the user execute scans on easily addressed points of vulnerability. However, the use of hard coded streamlined policies introduces the risk of missing a vulnerability. In addition, the management and editing of these policies involves a lot of manual work and requires security knowledge.

The novel contribution is a method to leverage data resulting from a Threat Modeling tool to automatically construct a Security Test Policy that is appropriate for the application undergoing scans.

Threat modeling is an activity that takes architects and security specialists from a generic description of the application to definition of threats that apply, and to the weaknesses that are used to implement threats. Once the threat model is created, the owner of the application has a list of all applicable weaknesses also identified by Common Weakness Enumeration (CWE) identifiers (IDs).

Each security test executed by a scanning tool is associated with a CWE. The idea is implemented as part of an automated Threat Modeling tool as follows:

1. At the end of the Threat Modeling activity, the list of applicable...