Experiences with Threat Modeling on a Prototype Social Network

Abstract

Supported by the Web 3.0 platform that enables dynamic content sharing, social networking applications are a ubiquitous information exchange platform. Content sharing raises the question of privacy with concerns typically centered on vulnerabilities resulting in identity theft. Identifying privacy vulnerabilities is a challenging problem because mitigations are implemented at the end of the software development life cycle, sometimes resulting in severe vulnerabilities. The authors present a prototype experimental social networking platform (HACKMI2) as a case study for a comparative analysis of three popular industry threat-modeling approaches. They focus on identified vulnerabilities, risk impact, and mitigation strategies. The results indicate that software and/or asset-centric approaches provide only a high-level analysis of a system's architecture and are not as effective as attacker-centric models in identifying high-risk security vulnerabilities in a system. Furthermore, attacker-centric models are effective in providing security administrators useful suggestions for addressing security vulnerabilities.