The designer will ensure threat models are documented and reviewed for each application release and updated as required by design and functionality changes or new threats are discovered.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6148	APP3020	SV-6148r1_rule	DCSQ-1	Medium

Description
The lack of threat modeling will potentially leave unidentified threats for attackers to utilize to gain access to the application.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-2960r1_chk )
Review the threat model and identify the following sections are present: • Identified threats • Potential mitigations • Mitigations selected based on risk analysis Detailed information on threat modeling can be found at the Open Web Application Security Project (OWASP) website. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If the threat model does not exist, or does not have identified threats, potential mitigations, and mitigations selected based on risk analysis, as sections within the Threat Model, it is a finding. 2) If the threat model has not been updated to reflect the application release being reviewed, this is a finding. Verify the mitigations selected in the threat model have been implemented. 3) If the mitigations selected based on risk analysis have not been implemented, this is a finding. Review the identified threats from the each of the application’s networked components. For example, a backend server may accept SQL queries and SSH connections and also have an NFS share. Next, examine firewall rules and router ACLs that prevent clients from reaching these access points, effectively reducing the area of the threat surface. For example, if the backend database accepts queries but is in an enclave where there are no user workstations and firewall rules allow only web traffic, this is not a finding. For each of the remaining access points, attempt to access these resources in a similar manner as the application would without utilizing the user interface (e.g., send SQL query using a tool outside of the application or attempt to access a share using command line utilities). 4) If a user can authenticate to any of these remaining access points outside of the intended user interface, this is a finding. The finding details should note the application component accessed and the method or tool used to access it.

Check Text ( C-2960r1_chk )

Review the threat model and identify the following sections are present:
• Identified threats
• Potential mitigations
• Mitigations selected based on risk analysis

Detailed information on threat modeling can be found at the Open Web Application Security Project (OWASP) website.

If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable.

1) If the threat model does not exist, or does not have identified threats, potential mitigations, and mitigations selected based on risk analysis, as sections within the Threat Model, it is a finding.

2) If the threat model has not been updated to reflect the application release being reviewed, this is a finding.

Verify the mitigations selected in the threat model have been implemented.

3) If the mitigations selected based on risk analysis have not been implemented, this is a finding.

Review the identified threats from the each of the application’s networked components. For example, a backend server may accept SQL queries and SSH connections and also have an NFS share. Next, examine firewall rules and router ACLs that prevent clients from reaching these access points, effectively reducing the area of the threat surface. For example, if the backend database accepts queries but is in an enclave where there are no user workstations and firewall rules allow only web traffic, this is not a finding.

For each of the remaining access points, attempt to access these resources in a similar manner as the application would without utilizing the user interface (e.g., send SQL query using a tool outside of the application or attempt to access a share using command line utilities).

4) If a user can authenticate to any of these remaining access points outside of the intended user interface, this is a finding.

The finding details should note the application component accessed and the method or tool used to access it.

Fix Text (F-16986r1_fix)
Establish and maintain threat models and review for each application release and when new threats are discovered. Identify potential mitigations to identified threats. Ensure mitigations are implemented to threats based on their risk analysis.