Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Method of Integrating Security Scanning Results with a Threat Modeling Tool

IP.com Disclosure Number: IPCOM000240743D
Publication Date: 2015-Feb-25
Document File: 5 page(s) / 72K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method to leverage vulnerability information from an application security testing tool within a threat modeling tool in order to automate a significant portion of the threat modeling process.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 5

Method of Integrating Security Scanning Results with a Threat Modeling Tool

Threat modeling is a process that aims to provide a list of countermeasures that can be implemented in order to prevent potential security attacks in an application. Threat modeling takes architects and security specialists from a generic description of the application to definition of threats that apply, and to the weaknesses that are used to implement threats. Once the threat model is created, the owner of the application has a list of all applicable weaknesses also identified by Common Weakness Enumeration (CWE) identifiers (IDs). The threat modeling activity occurs in a threat modeling tool. Each security test executed by a tool is associated with a CWE.

During a threat modeling activity, a lot of time is spent verifying that countermeasures exist to mitigate the threats. This manual process involves intricate knowledge of the application. Another problem with the current processes for threat modeling is the potential for false negatives. For example, the architect may think a countermeasure is implemented when in fact it is not . This causes the resulting threat model to be inaccurate.

There are no known solutions to this problem, the current approaches are manual.

The novel contribution is a method to leverage vulnerability information from an application security testing tool within a threat modeling tool in order to automate a significant portion of the threat modeling process . With this approach, the threat modeling tool can automatically detect:

When a countermeasure is not implemented False po...