Securityadvanced

Threat Modeling

A structured process for identifying, quantifying, and addressing security threats to a system during the design phase.

Also known as: threat analysis, attack surface analysis, security design review, STRIDE analysis

Description

Threat modeling is a proactive security practice that identifies potential threats, vulnerabilities, and attack vectors during the design and development phases, before they become exploitable in production. By systematically analyzing a system's architecture, data flows, trust boundaries, and entry points, teams can identify where security controls are needed and prioritize their implementation based on risk. Threat modeling is significantly more cost-effective than finding and fixing vulnerabilities in production.

Several frameworks guide the threat modeling process. STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) categorizes threats by type. DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) helps prioritize threats by severity. Attack trees and MITRE ATT&CK provide structured ways to enumerate attack paths. The basic process involves: defining the system scope, creating data flow diagrams identifying trust boundaries, systematically identifying threats at each boundary crossing, rating and prioritizing threats, and defining mitigations.

Threat modeling should be integrated into the software development lifecycle, not treated as a one-time exercise. Every significant architectural change, new feature, or new integration point should trigger a threat model update. Modern approaches like developer-centric threat modeling aim to make the practice lightweight and accessible: using whiteboard sessions, incorporating threat modeling into design documents, and maintaining a living threat model that evolves with the system. Tools like OWASP Threat Dragon, Microsoft Threat Modeling Tool, and IriusRisk can formalize and track the process.

Prompt Snippet

Apply STRIDE threat modeling to every new feature during design review: create data flow diagrams showing trust boundaries (client/server, service/database, internal/external), identify threats at each boundary crossing, and document mitigations. For each API endpoint, enumerate: who can call it (Spoofing), can input be manipulated (Tampering), is the action auditable (Repudiation), what data could leak (Information Disclosure), can it be abused for DoS (Denial of Service), and can authorization be bypassed (Elevation of Privilege). Maintain threat models as living documents in your architecture decision records (ADRs). Use OWASP Threat Dragon for diagram formalization and track unmitigated threats as security-labeled issues in your backlog.