Hands-on exercise 2 – Performing threat modeling of an e-commerce application
To complete this hands-on exercise, you need to have completed the previous hands-on exercise in this chapter. In this exercise, we will conduct a threat modeling exercise using the Microsoft Threat Modeling Tool, a fundamental component of the Microsoft Security Development Lifecycle (SDL). This approach involves creating an application architecture diagram, using the tool to identify possible threats and information on how to mitigate the threats. For this and subsequent exercises, we will use the eShop e-commerce application. Figure 3.15 shows the reference architecture of the application. There are two distinct versions of this application: a monolithic version, eShopOnWeb (accessible at https://github.com/dotnet-architecture/eShopOnWeb), and a microservices version designed for container deployment, eShopOnContainers (accessible at https://github.com/dotnet-architecture/eShopOnContainers). Both versions will be referenced in this book.
Figure 3.15 – eShopOnContainers reference architecture
Here are the tasks that we will complete in this exercise:
- Task 1 – Downloading and installing the Microsoft Threat Modeling Tool
- Task 2 – Creating a threat model diagram for the eShop application
- Task 3 – Running a threat analysis on the model
Let’s get into practical threat modeling.
Task 1 – Downloading and installing the Microsoft Threat Modeling Tool
- On the lab VM, open a web browser and browse to https://aka.ms/threatmodelingtool. This will automatically download the installer in the
Downloadsfolder. - Open the
Downloadsfolder and double-click theTMT7application:
Figure 3.16 – TMT7 application to be installed
- When prompted, click Install to install the tool. If a warning appears to install .NET Framework, click Yes to install the required version:
Figure 3.17 – Installing the tool
Once the tool has been installed, move to task 2.
Note
In this hands-on lab, we will use the Microsoft Threat Modeling Tool. Note that there are newer tools available, such as Threats Manager Studio (https://threatsmanager.com).
Task 2 – Creating a threat model diagram for the eShop application
- On the lab VM, click the Start button, then click Microsoft Threat Modeling Tool to open it:
Figure 3.18 – Opening the Microsoft Threat Modeling tool
- If you’re prompted to accept the terms and conditions, click I Agree. If you’re prompted to participate in the customer experience, feel free to deselect this option.
- In the Microsoft Threat Modeling Tool area, in the Template for New Models section, ensure that Azure Threat Model Template is selected, then click Create A Model:
Figure 3.19 – The Microsoft Threat Modeling Tool landing page
- This opens the window for creating a new model. Review the available stencils on the right. Based on the template you select while creating the model, the types of stencils change. The stencil categories available under Azure Threat Model Template are Generic Data Flow, Generic Data Store, Generic External Interactor, Generic Process, Generic Trust Border Boundary, and Generic Trust Line Boundary. You can expand each category:
Figure 3.20 – Reviewing the stencil categories and stencils
As mentioned earlier, we will be using the eShop application for the exercises. We want to identify threats and add mitigations from the planning phase. We will be creating the model based on the flow of the data known as the DFD.
- Use the following stencils to draw two trust boundary zones, as shown in Figure 3.21. You will need to drag each stencil into the diagram board:
- Generic Trust Border Boundary | Remote User Zone
- Generic Trust Border Boundary | Azure Trust Boundary:
Figure 3.21 – Drawing the trust boundaries
- Use the following stencils to add the Browser and Mobile Client stencils to the diagram board:
- Generic External Interactor | Browser
- Generic External Interactor | Mobile Client:
Figure 3.22 – Adding the Browser and Mobile Client stencils
- Add the following stencils to the Azure Trust Boundary section on the diagram board:
- Generic Process | Web Application
- Generic Process | Web API
- Generic Data Store | Azure SQL Database
- Generic Data Store | Azure Redis Cache:
Figure 3.23 – Adding the needed Generic Process and Generic Data Store stencils
- You can also right-click each stencil, then click on Properties to rename them and set other configurable attributes:
Figure 3.24 – Renaming the stencils (optional)
- Finally, use the following stencils to define the connections, as shown in Figure 3.25:
- Generic Data Flow | Request
- Generic Data Flow | Response
The connections to create are as follows:
- Request/Response connection between the Browser and the eShop WebApp
- Request/Response connection between the eShop WebApp and the Web API
- Request/Response connection between the Mobile Client and the Web API
- Request/Response connection between the Web API and the Ordering Microservice
- Request/Response connection between the Web API and the Basket Microservice
- Request/Response connection between the Ordering Microservice and the Azure SQL Database
- Request/Response connection between the Basket Microservice and the Azure Redis Cache:
Figure 3.25 – Simple eShop threat model
At this point, we can move on to task 3.
Task 3 – Running a threat analysis on the model
Follow these steps:
- To analyze the threats in the model, navigate to View at the top, then choose Analysis View from the icon menu selection:
Figure 3.26 – Opening Analysis View
- A list of potential threats based on the model will be displayed below the diagram. These are categorized based on the STRIDE model. Each threat in the list is assigned a severity level and information about its possible mitigation is also added. You can click on the Export CSV button to export the list:
Figure 3.27 – Threat List
- Go through the list of threats generated and possible mitigations. You can update the status of each threat to Not Started, Needs Investigation, Not Applicable, or Mitigated.
- Once you’ve gone through the list, create a report by selecting Reports, then click Create Full Report:
Figure 3.28 – Creating a full report
- When prompted about Custom Threat Properties, leave all options selected and click Generate Report:
Figure 3.29 – Generating the full report
- In the Select a file name to save the current threat model full report area, select Desktop and set File name to
eShopApp. Click Save:
Figure 3.30 – Saving the report on the desktop
- When you’re prompted to open the file, click OK:
Figure 3.31 – Opening the report
- Review the report:
Figure 3.32 – Reviewing the report that was generated
Congratulations! You’ve successfully used the Microsoft Threat Modeling Tool to analyze threats in an application model. Next, we will explore security training, an important part of the DevOps planning phase.
