Threat Modeling and Glog.AI

Glog.AI can give very precise remediation advice for security vulnerabilities in software code based on specific context.

It is not about code only but involves analysis and implementation of architectural and Threat Model security controls, policies, correlation with other application security processes and tools through the entire SDLC (Software Development Lifecycle). Additionally part of the application’s context is related to the environment in which the application is running.

After the scan is performed, security analysts usually have to talk not just with developers, but with software and solution architects as well to collect all information to properly perform triage and suggest  fixes for genuine vulnerabilities. In this process security analysts have to collect different information about specific security requirements, architectural and design decisions, as well as security policies for specific organizations and/or projects. This information is usually written in an unstructured way in various documents or even undocumented. Topic of these discussions is usually to model threats and analyze potential threat actors which actually represents Threat Modeling, but without any formal Threat Model produced.

In subsequent scans and analysis it is often needed to repeat this process with development and architecture teams. As most of the information is collected in an ad-hoc and unstructured way, some data is lost in the meantime and some of the discussion has to be repeated again. Additionally, there is no formal way to communicate this information to the (most of) SAST tools and to be able to use collected data to perform more accurate and context specific scan and remediation. Even more, it is hard to impossible to scale this process when you have to work with multiple development teams developing a large number of software components.

Glog Solution provides an automated, formalized and structured approach to directly collect all needed information from software architects and developers even before the first scan is executed. Glog uses information collected in previous, on-boarding steps, and provides questionnaires as a part of Glog web UI. These questionnaires contain a set of context specific questions about the application that is being scanned. These questions will help to discover part of an application’s context related to the environment in which the application is executed. It will also help to properly identify threats and threat actors. For example, using this feature architects can communicate their decision to perform input validation on web application firewall (WAF) instead in the implementation phase. Another example is information that they are relying on the front-end framework to automatically perform data escaping without implementing it as a part of the back-end server, and so on. This information is invaluable in a phase of triage and helps us to automatically filter out a big part of false positives. Note: these questionnaires are continually updated and improved to better serve the process.

Glog Solution gives possibility to:

  1. Use input from architecture and design phase to perform in-context triage
  2. Once all designed security controls are present and understood, SAST scan can detect if some of these controls are not implemented.
  3. Having all information from Onboarding phase together with input from architecture team, there is enough information to create low level Threat Model for each software component that has been scanned

 

Leave a Reply