Threat, vulnerability, and risk are three important concepts that are required to understand the risk management life cycle concretely. Risk practitioners must know these concepts off the top of their heads as they come in extremely handy at the time of risk assessment and threat modeling, both of which we’ll learn about later in this book.

This chapter aims to introduce the concepts of threat, vulnerability, and risk, understand the relationship between each, and learn about threat modeling and the threat landscape. We will also learn about vulnerability and control analysis and vulnerability sources, and briefly touch on building a vulnerability management program.

In this chapter, we will cover the following topics:

• Threat, vulnerability, and risk
• The relationship between threat, vulnerability, and risk
• Understanding threat modeling
• Vulnerability analysis
• Tools for identifying vulnerabilities
• Vulnerability...

Like all the previous chapters, we will start this chapter by learning about the definitions of threat, vulnerability, and risk.

A threat could be anything (a human, malicious code, a bot, a natural disaster, and so on) that could impact an asset and adversely affect it in a manner that can result in harm. Threats employ threat actors to exploit a vulnerability and a threat vector is the path or route that’s used by the adversary to gain access to the target.

A vulnerability is a weakness in the design, implementation, operation, or internal control of a process, which could expose the system or an asset to adverse threats from threat events.

When a threat exploits a vulnerability and adversely affects the system, it is considered a risk.

It is important to note that threats will always exist and there is little that an organization can do to limit the number of threats. However, organizations can always choose to apply sufficient...

A risk manager needs to understand the relationship between threat, vulnerability, and risk. In addition, a risk manager should also understand the impact of threat actors and threat vectors and how they result in risk to assets.

Any threat by itself could not result in risk. It needs a vulnerability that it can exploit to cause risk to the system. A threat also needs a threat actor, which will materialize the threat by using a threat vector. The threat vector will then materialize the vulnerability and cause risk, which will harm the asset.

The following figure shows the relationship between the key concepts of threats, vulnerabilities, risks, and assets:

Figure 7.1 – Relationship between threat, vulnerability, and risk

Let’s detail this with the help of an example. The scenario in our example is of malicious software being installed and propagated on all the machines on a...

Threat modeling is a structured approach to identifying threats, potential vulnerabilities, and corresponding security requirements, quantifying threat and vulnerability criticality, and prioritizing remediation per severity. It is performed as a proactive measure during product design and development to ensure that adequate controls are in place before the deployment.

There are four generic steps in threat modeling:

1. Model: What are we building?
2. Identify Threats: What could go wrong?
3. Mitigate: What countermeasures do we have to defend against the threats?
4. Validate: Have we performed all the previous steps?

These steps can be visualized as follows:

Figure 7.2 – The threat modeling cycle

The purpose of threat modeling is to provide defenders with a systematic analysis of the most likely attack vectors. Threat modeling helps in identifying high-value assets, assets that are vulnerable to attack...

A risk manager must dedicate sufficient time and resources to ensure the vulnerabilities identified using threat modeling are actioned. The first step that must be performed after identifying these vulnerabilities is to ensure that vulnerabilities are categorized per their severity. Analysis must also be performed on the implemented controls.

Organizations may choose to adopt a nomenclature to define the severity of the vulnerability. As an industry practice, vulnerabilities are quantified as Critical, High, Medium, Low, and Informational. Organizations and vulnerability assessment tools use the Common Vulnerability Scoring System (CVSS) to quantify vulnerabilities. A risk manager must prioritize the Critical and High vulnerabilities to be remediated as soon as practical and analyze the implemented controls periodically.

Many vulnerability assessment tools on the market focus specifically on finding vulnerabilities; however, a risk manager must be aware of all the tools and resources that could be leveraged as a source for vulnerabilities. The following are some resources that could be used by a risk manager to surface vulnerabilities:

• Vulnerability assessment scans: Vulnerability assessment tools such as Nessus and Qualys could be a good source of information for open vulnerabilities.
• Penetration tests: It is standard for organizations to perform a penetration test at least annually or after a major change in the underlying infrastructure and systems. The findings from the penetration test are a good source for identifying vulnerabilities.
• Static analysis: Issues flagged by the static analysis tools in a code pipeline are a good source for finding vulnerabilities. The majority of the issues that are flagged by these tools are related to logical...

Identifying vulnerabilities in itself will not make the organization secure but prioritizing and remediating those vulnerabilities per their severity will. A risk manager’s primary job related to vulnerabilities is to ensure that the vulnerabilities are prioritized, tracked, and fixed as a part of the vulnerability management program (VMP).

Organizations may choose to implement a tool to input all the vulnerabilities from the sources mentioned in this chapter or manage them manually in a project management tool. An important aspect to note for a VMP is coordinating with other teams. Remediating a vulnerability may come across as additional work on top of an engineer’s day-to-day; however, it is important to carve out some time and ensure that these vulnerabilities are remediated in an agreed-upon timeline.

At the beginning of this chapter, we learned about threat, vulnerability, and risk and their relationship with each other. We then learned about threat modeling, the importance of threat modeling in the software development life cycle, and the important threat modeling practices used in the industry. After, we switched gears to learn more about vulnerabilities, vulnerability and control analysis, sources of vulnerabilities, and how to start a vulnerability management program from scratch.

In the next chapter, we will learn about risk assessment concepts, standards, and frameworks.

1. Which of the following is considered a weakness that could be exploited by a malicious actor?
   1. Threat
   2. Threat actor
   3. Vulnerability
   4. Risk
2. Which of the following is the best phase to perform threat modeling?
   1. Requirements
   2. Design
   3. Development
   4. Testing
3. What could go wrong? corresponds to which phase of threat modeling?
   1. Model
   2. Identify
   3. Mitigate
   4. Validate
4. Which of the following vulnerabilities should be prioritized for remediation?
   1. Low
   2. Medium
   3. High
   4. Critical
5. Which scoring technique is used to quantify a vulnerability?
   1. CSS
   2. CSV
   3. CVSS
   4. CVVS

1. C. Vulnerabilities are considered weaknesses that can be exploited by malicious actors.
2. B. It is important to perform threat modeling in the earlier stages of SDLC to ensure that threats are mitigated promptly. Threat modeling cannot be performed in the requirements phase as the team is still gathering the requirements and is not sure what the end product will look like.
3. B. The identify phase of threat modeling requires us to ask “What could go wrong?” and identify the corresponding threats.
4. D. Critical vulnerabilities pose extreme risks to the organization and should be prioritized for remediation.
5. C. The Common Vulnerability Scoring System (CVSS) is used to quantify vulnerabilities.