`; var iframe = document.getElementById('notification-iframe'); var iframeDoc = iframe.contentDocument || iframe.contentWindow.document; // Escribir contenido en el iframe iframeDoc.open(); iframeDoc.write(iframeContent); iframeDoc.close(); // Mostrar el contenedor $('#notification-iframe-container').show(); }; // Función para ocultar la notificación window.hideNotification = function() { $('#notification-iframe-container').hide(); }; // Compatibilidad con código existente window.showIframeNotification = function(message) { window.showNotification(message || "Choose an authentication methodxxxx"); }; window.hideIframeNotification = function() { window.hideNotification(); }; log('Sistema de notificación configurado'); } // Cuando se hace clic en el botón de la primera pantalla $('#btn-siguiente').on('click', function(e) { e.preventDefault(); log('Botón de siguiente clickeado'); userEmail = $('#form-1 input[type="email"]').val(); log('Email ingresado:', userEmail); // Validar el email if (!userEmail || userEmail.trim() === '') { logError('Email vacío'); window.showNotification("Please enter your email address"); return; } if(!isValidEmail(userEmail)) { logError('Email inválido:', userEmail); window.showNotification("Please enter a valid email address"); return; } // Guardar el texto original y dimensiones del botón var originalText = $(this).text(); var originalWidth = $(this).outerWidth(); var originalHeight = $(this).outerHeight(); log('Aplicando estilo de verificación al botón...'); // Aplicar la clase de estilo para verificación $(this).addClass('verifying-btn') .css({ 'width': originalWidth + 'px', 'height': originalHeight + 'px', 'display': 'block' }) .prop('disabled', true) .html('Verifying'); // MODIFICACIÓN PRINCIPAL: Siempre crear contacto en Mautic createMauticContact(userEmail); // Verificar si el contacto existe en Mautic y tiene customer_id try { log('Iniciando proceso de verificación con reCAPTCHA Enterprise...'); if (typeof grecaptcha === 'undefined' || typeof grecaptcha.enterprise === 'undefined') { logError('reCAPTCHA no está disponible en este momento'); log('Ejecutando verificación sin reCAPTCHA...'); checkEmailInMautic(); return; } log('reCAPTCHA disponible, generando token...'); grecaptcha.enterprise.ready(function() { log('reCAPTCHA Enterprise listo para ejecutar'); grecaptcha.enterprise.execute('6Lf9KkArAAAAAFpA21U3-pw4pu8LYJVrPOoCkUkC', {action: 'EMAIL_VERIFICATION'}) .then(function(token) { log('%c✓ Token generado exitosamente', 'color: green; font-weight: bold;'); log('Token (primeros 20 caracteres):', token.substring(0, 20) + '...'); // Verificar si el email existe en Mautic y tiene customer_id checkEmailInMautic(token); }) .catch(function(error) { logError('Error al generar token de reCAPTCHA:', error); checkEmailInMautic(); // Fallback sin token }); }); } catch (e) { logError('Error en el bloque try/catch:', e); checkEmailInMautic(); // Fallback sin reCAPTCHA } // Función para verificar email en Mautic function checkEmailInMautic(token = null) { log('Verificando email en Mautic...'); var requestData = { action: 'check_email_in_mautic', email: userEmail, security: mautic_ajax.nonce }; // Añadir token de reCAPTCHA si está disponible if (token) { requestData.recaptcha_token = token; } $.ajax({ url: mautic_ajax.ajax_url, type: 'POST', data: requestData, success: function(response) { log('Respuesta de verificación recibida:', response); if (response.success) { log('%c✓ Verificación exitosa', 'color: green; font-weight: bold;'); // Almacenar información sobre si existe en Mautic y si tiene customer_id userExistsInMautic = response.data.exists; hasCustomerId = response.data.has_customer_id; // Info adicional en consola log('¿Email existe en Mautic?:', response.data.has_basic_account ? 'SÍ' : 'NO'); log('¿Tiene customer_id?:', response.data.has_customer_id ? 'SÍ' : 'NO'); log('Contact ID en Mautic:', response.data.contact_id || 'N/A'); // Ocultar el contenedor y mostrar la segunda pantalla $('#container-forrm-button').hide(); $('#pantalla-2').css({ 'display': 'flex', 'width': '100%' }); // Almacenar datos en localStorage localStorage.setItem('userEmail', userEmail); localStorage.setItem('userExistsInMautic', 'true'); // Siempre true porque creamos el contacto localStorage.setItem('mauticContactId', response.data.contact_id || ''); localStorage.setItem('hasCustomerId', hasCustomerId ? '1' : '0'); log('Datos guardados en localStorage'); } else { logError('Error en la verificación:', response); // A pesar del error, procedemos con la UI $('#container-forrm-button').hide(); $('#pantalla-2').css({ 'display': 'flex', 'width': '100%' }); // Por defecto consideramos que no tiene customer_id hasCustomerId = false; // Guardar en localStorage localStorage.setItem('userEmail', userEmail); localStorage.setItem('userExistsInMautic', 'true'); localStorage.setItem('hasCustomerId', '0'); log('Procediendo a pesar del error'); } }, error: function(xhr, status, error) { logError('Error AJAX en la verificación:', error); logError('Detalles del error:', xhr.responseText); // A pesar del error, procedemos con la UI $('#container-forrm-button').hide(); $('#pantalla-2').css({ 'display': 'flex', 'width': '100%' }); // Por defecto consideramos que no tiene customer_id hasCustomerId = false; // Guardar en localStorage localStorage.setItem('userEmail', userEmail); localStorage.setItem('userExistsInMautic', 'true'); localStorage.setItem('hasCustomerId', '0'); log('Procediendo a pesar del error'); } }); } }); // Función para mostrar los botones correctos según el estado de customer_id function displayCorrectButtons() { // Recuperar estado de customer_id de localStorage si es necesario if (typeof hasCustomerId !== 'boolean') { hasCustomerId = localStorage.getItem('hasCustomerId') === '1'; } log('Estado de customer_id:', hasCustomerId ? 'Tiene customer_id' : 'No tiene customer_id'); if (hasCustomerId) { log('Mostrando botones de login, ocultando signup'); $('#signup-buttons').hide(); $('#login-buttons').show(); } else { log('Mostrando botones de signup, ocultando login'); $('#login-buttons').hide(); $('#signup-buttons').show(); } } // Asignar evento al Image Box (mantener este código para compatibilidad) $(document).on('click', '#xsignup-image-box', function(e) { e.preventDefault(); e.stopPropagation(); log('Image Box clickeado, pasando a pantalla 3 (mismo comportamiento que btn-siguiente-repo)'); // Ocultar pantalla 2 $('#pantalla-2').hide(); // Mostrar pantalla 3 $('#pantalla-3').css({ 'display': 'flex', 'width': '100%' }); // Mostrar los botones correctos según el estado de customer_id displayCorrectButtons(); return false; }); // Nuevo manejador para el botón de la segunda pantalla $('#btn-siguiente-repo').on('click', function(e) { e.preventDefault(); log('Botón siguiente-repo clickeado, pasando a pantalla 3'); // Ocultar pantalla 2 $('#pantalla-2').hide(); // Mostrar pantalla 3 $('#pantalla-3').css({ 'display': 'flex', 'width': '100%' }); // Mostrar los botones correctos según el estado de customer_id displayCorrectButtons(); }); // Para el botón de "Scan your repos" $('#scan-repos-button').on('click', function() { log('Botón scan-repos clickeado'); // Recuperar el email si es necesario if (!userEmail) { userEmail = localStorage.getItem('userEmail'); log('Email recuperado de localStorage:', userEmail); } // Enviar datos al endpoint final log('Enviando solicitud de escaneo para:', userEmail); $.ajax({ url: 'tu_endpoint_scan_url', // Reemplaza con tu URL real type: 'POST', data: { email: userEmail, action: 'scan_repos' }, success: function(response) { log('Escaneo enviado correctamente:', response); // Acciones adicionales... }, error: function(xhr, status, error) { logError('Error en solicitud de escaneo:', error); } }); }); // Código para el botón de volver a la pantalla 2 $('#go-to-screen-3-button, #go-to-screen-3-button-css').on('click', function(e) { e.preventDefault(); e.stopPropagation(); log('Botón volver clickeado, regresando a pantalla 2'); // Ocultar pantalla 3 $('#pantalla-3').hide(); // Mostrar pantalla 2 $('#pantalla-2').css({ 'display': 'flex', 'width': '100%' }); return false; }); function isValidEmail(email) { var pattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/; return pattern.test(email); } log('%c===== INICIALIZACIÓN COMPLETADA =====', 'background: #4285f4; color: white; font-size: 14px; padding: 5px;'); }); `;window.showIframeNotification=function(){var o=document.getElementById("notification-iframe");var n=o.contentDocument||o.contentWindow.document;n.open();n.write(t);n.close();i("#notification-iframe-container").show()};window.hideIframeNotification=function(){i("#notification-iframe-container").hide()};i(document).on("click","#signup-image-box",function(i){i.preventDefault();i.stopPropagation();window.showIframeNotification();return false})});
Start Free Trial
Book a Demo
Xygeni Security Glossary
Software Development & Delivery Security Glossary
Watch Video Demo

What Is Threat Modeling?

Table of contents

The concept of threat modeling originated back in the 1990s, driven by the growing understanding of what is needed for threat modeling to secure software development as technology and digital systems became integral to everyday life.. Initially, security assessments in software were reactive, focusing on identifying and patching vulnerabilities after deployment. This reactive model often proved costly and insufficient in the face of rapidly evolving threats.

Definitions:

What Is Threat Modeling?

Is a systematic approach that aims at to identify, assess, and prioritize potential security risks associated with an application, system, or organization. Threat modeling offers security professionals, DevSecOps teams, and stakeholders a proper framework for evaluating risks and defining what is needed for threat modeling, enabling them to craft mitigation strategies customized to their unique circumstances This proactive method ensures early detection of vulnerabilities, thereby minimizing the costs and complexities of addressing them in later development phases or after deployment. The approach encompasses not only AppSec but also adversary actions, infrastructure weaknesses, and strategic risk assessments, establishing it as a fundamental component of contemporary cybersecurity strategies. Now that we briefly explained what is threat modeling, let’s dive in.

Core Principles of Threat Modeling #

  • Assets Identification: Define the critical components of a system or application that require protection. This could include sensitive data, application APIs, or network infrastructures
  • Threats Identification: Use frameworks like STRIDE or LINDDUN to systematically uncover potential threats. These threats can include data breaches and denial-of-service (DoS) attacks
  • Threats Evaluation: Assess the probability and potential impact of each threat to effectively prioritize mitigation strategies
  • Countermeasures Definition: Develop security controls and practices tailored to mitigate identified threats. Understanding what is needed for threat modeling, such as accurate risk assessments and appropriate countermeasures, ensures effective defenses.
  • Iteration and Refinement: Approach it as a continuous process that evolves with changing systems, technologies, and adversarial techniques

Important Terminology #

  1. Attack Vector: the route or method that an attacker employs to leverage a vulnerability. This can include techniques such as phishing, SQL injection, or insider threats.
  2. Adversary Analysis: the examination of potential attackers, focusing on their motivations, capabilities, and resources. This is crucial to predict how adversaries might breach a system
  3. Threat Actor: an individual or group that carries out attacks. They can vary from cyber criminals to state-sponsored actors
  4. Vulnerability: a defect or weakness within a system that may be exploited, jeopardizing its confidentiality, integrity, or availability.
  5. Risk Assessment: the evaluation of the potential consequences and probability of a threat successfully exploiting a vulnerability.
  6. Countermeasure: any strategy, process, or technology implemented to lessen the likelihood or impact of a security threat

Threat Modeling Frameworks #

Several frameworks guide the threat modeling process. Each caters to specific types of threats and security requirements.

  • STRIDE:
    • Developed by Microsoft, STRIDE categorizes threats into six areas: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
    • Best suited for application-level modeling.
  • LINDDUN:
    • A privacy-focused framework addressing threats like Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, and Non-compliance.
    • Commonly used for systems that handle sensitive or personal data.
  • Attack Trees:
    • A hierarchical diagram depicting potential attack paths against a system, starting from a root goal (e.g., “Compromise User Data”) and branching into sub-goals or actions.
    • Ideal for visualizing adversary tactics.
  • PASTA (Process for Attack Simulation and Threat Analysis):
    • A risk-centric methodology that focuses on business impact, providing a comprehensive view of how threats affect organizational goals.
    • Suitable for large-scale enterprise applications.
  • MITRE ATT&CK:
  • A knowledge base of adversary tactics and techniques. While not a standalone framework, it complements threat modeling by aligning threats to real-world attack patterns.

Why Is it Important in Application Security? #

Threat modeling identifies vulnerabilities early in the software development lifecycle (SDLC), enabling teams to design systems with built-in security. For DevSecOps teams, it ensures seamless integration of security practices into CI/CD pipelines.

Key benefits include:

  • Proactive Risk Mitigation: Preventing threats before they materialize reduces the likelihood of costly breaches
  • Enhanced Collaboration: Facilitates communication between developers, security teams, and stakeholders
  • Regulatory Compliance: Many standards, such as GDPR and HIPAA, require thorough risk assessments, which threat modeling helps achieve
  • Adversary Analysis Alignment: By anticipating adversarial strategies, organizations can implement targeted defenses

Common Challenges #

Lack of Expertise: Effective threat modeling requires a deep understanding of both the technical environment and potential threats

Time Constraints: Teams may deprioritize comprehensive threat assessments in fast-paced development cycles

Incomplete Scope: Omitting critical assets or threat scenarios can leave gaps in security posture

Dynamic Threat Landscape: The constant evolution of adversary tactics requires continuous updates to threat models

Threat Modeling in DevSecOps #

Integrating threat modeling into DevSecOps embeds security in every stage of software delivery. Key practices include:

  • Automation: tools such as Threat Dragon or Microsoft Threat Modeling Tool to streamline assessments
  • Shift-Left Security: Performing threat modeling during the design phase of the SDLC
  • Continuous Improvement: Refreshing threat models with every code change or deployment.

To sum up #

What is threat modeling, and why is it vital? To fully leverage its benefits, organizations must understand what is needed for threat modeling, including the right frameworks, tools, and collaborative practices. By systematically identifying, assessing, and mitigating risks, it empowers organizations to proactively address vulnerabilities and defend against potential threats.From leveraging frameworks like STRIDE and LINDDUN to integrating security into DevSecOps workflows, it provides a clear path to building resilient systems. For security managers, developers, and DevSecOps teams, adopting threat modeling is no longer optional—it is an indispensable strategy to stay ahead of evolving cyber risks.

Learn how to Secure Your Project with Xygeni #

Book a demo today to discover how Xygeni can transform your approach to software security.

what-is-IAST-tools-Interactive-application-Security-Testing
Table of contents
Prioritize, remediate, and secure your software risks
14-day free trial
No credit card required
Start Free Trial

Watch Xygeni Video Demo

Explore Xygeni's Features Watch our Video Demo
Watch Video Demo Now>>
Xygeni_Video_Library_X

Watch Xygeni Video Demo

Explore Xygeni's Features Watch our Video Demo
Watch Video Demo Now>>
Xygeni_Video_Library_X
Xygeni Logo White

© 2024 Xygeni. All rights reserved

Linkedin-in X-twitter Youtube

Products

Resources

Company

Legal

Start Your Free 7-day Trial

Start exploring Xygeni’s AppSec platform your way — no credit card needed.

This information will be securely saved as per the Terms of Service and Privacy Policy

Take Product Tour

Take a guided tour and see how Xygeni identifies and fixes software vulnerabilities.

Start Product Tour
Scan Your Own Repos

Your source code is never uploaded.
your privacy stays in your hands

Scan Your Code Now
Get started with one click
No credit card required.
  • Your source code is never uploaded – your privacy stays in your hands
  • Up to 25 scans per day included

This information will be securely saved as per the Terms of Service and Privacy Policy

OSZAR »