For adversaries, dissecting enterprise Web applications has become second nature. They often know the weaknesses of various types of Web applications better than the enterprises attempting to secure them do.
According to Tony UcedaVelez, founder and managing partner with application security consultancy VerSprite, the best way to turn the tables is with a process called Web application threat modeling, a detailed paradigm that offers enterprises a way to analyze the weaknesses in the components and processes within a Web application.
"It's a more scientific method to applying security by understanding functionally what your Web application is doing in the first place," UcedaVelez said, "and how it can be mistreated or misused by an attacker."
In this video, UcedaVelez explains the basics of what Web application security threat modeling is, how it differs from Web application penetration testing, what it reveals about the most viable Web application attack patterns, and how to get started with Web app threat modeling.