You start by creating a diagram of your system and its data flows, imagine how an attacker might approach your system, and think about how to make those attacks more difficult.
A variety of threat modeling approaches are available, with funny names like LINDDUN and PASTA, but the grandpappy of them all is STRIDE, which was brought to prominence by Adam Shostack when he was working at Microsoft.
Working through this design-time exercise will give you a list of security features that you would like to have in your application. Here are a few simplified examples:
- Because an attacker might eavesdrop on the network traffic between the mobile client and the server, we’ll encrypt the traffic using TLS.
- Because we don’t want an unauthorized attacker accessing our service, we’ll require authentication.
- Because an attacker might brute-force passwords, we’ll implement an account lockout feature and throttle log-in request speed.
- Because an attacker might gain access to our database, we’ll encrypt the contents of the database.
If you don’t have the expertise or the time for threat modeling, Synopsys has experts that can help.