Deploying enterprise solutions to the cloud - issues and vulnerabilities

Abstract

Legacy enterprise applications provide unique challenges for software security personnel. The size and historical nature of these systems can result in vulnerabilities that do not have the appropriate countermeasures in place. Development teams that support these systems can be unaware of such security weaknesses until they have been exploited by an adversary. By successfully identifying threats, development teams can put in place the appropriate mitigations. This research discusses the practice of Threat Modelling as a systematic approach to identifying security vulnerabilities in software systems. Although numerous works have been presented on the subject of Threat Modelling, very little has been published on the unique challenges faced with Threat Modelling legacy systems. This research presents different Threat Model methodologies and provides a comparison of leading practices suitable for the Threat Modelling of large scale systems. The comparison is based on both theoretical research and the practical application of two of the most popular Threat Models. This research then offers a Threat Model case study of a major component of a live commercial legacy enterprise application. An Irish based software company has provided access to an existing legacy system for the purpose of this project, the practical development of a Threat Model and a detailed analysis of the system.