Threat Modeling
Systematic approach to identifying and mitigating security threats in software systems
Threat modeling is a structured approach to identifying, quantifying, and addressing security threats to a system. It should be performed during the design phase and updated throughout the development lifecycle.
What is Threat Modeling?
Threat modeling answers four key questions:
| Question | Focus |
|---|---|
| What are we building? | System architecture, data flows, trust boundaries |
| What can go wrong? | Potential threats and attack vectors |
| What are we doing about it? | Mitigations and security controls |
| Did we do a good job? | Validation and review |
When to Perform Threat Modeling
| Timing | Trigger | Scope |
|---|---|---|
| Initial Design | New system or feature | Full system |
| Major Changes | Architecture modifications | Changed components |
| New Integrations | Third-party services, APIs | Integration points |
| Security Incidents | After breach or near-miss | Affected areas |
| Regular Reviews | Quarterly/annually | Full system refresh |
STRIDE Threat Model
Microsoft's STRIDE framework categorizes threats by type:
STRIDE per Element
Apply STRIDE based on system element type:
| Element Type | Relevant STRIDE Threats |
|---|---|
| External Entity | Spoofing, Repudiation |
| Process | All STRIDE categories |
| Data Store | Tampering, Information Disclosure, Denial of Service |
| Data Flow | Tampering, Information Disclosure, Denial of Service |
DREAD Risk Rating
Quantify threat severity using DREAD scoring:
| Factor | Question | Scale |
|---|---|---|
| Damage | How bad would an attack be? | 1-10 |
| Reproducibility | How easy to reproduce the attack? | 1-10 |
| Exploitability | How much skill needed to exploit? | 1-10 |
| Affected Users | How many users are impacted? | 1-10 |
| Discoverability | How easy to find the vulnerability? | 1-10 |
Risk Score = (D + R + E + A + D) / 5
| Score | Risk Level | Action |
|---|---|---|
| 1-3 | Low | Document, address in future release |
| 4-6 | Medium | Address in current release cycle |
| 7-10 | High/Critical | Address immediately before release |
Threat Modeling Process
Step 1: Define Scope
Document the system boundaries:
Step 2: Create Data Flow Diagram
Document how data moves through the system:
Step 3: Identify Threats
For each data flow and component, apply STRIDE:
| Component | Data Flow | Threat | Category |
|---|---|---|---|
| Web Server | User → Web | Credential theft | Spoofing |
| Web Server | User → Web | Session hijacking | Spoofing |
| API Server | Web → API | Parameter tampering | Tampering |
| Database | API → DB | SQL injection | Tampering |
| API Server | All | No audit logs | Repudiation |
| Database | API → DB | Data exposure in errors | Info Disclosure |
| Web Server | User → Web | DDoS attack | Denial of Service |
| API Server | Web → API | Broken access control | Elevation of Privilege |
Step 4: Document Mitigations
For each identified threat, define controls:
| Threat | Risk (DREAD) | Mitigation | Status |
|---|---|---|---|
| Credential theft | 8.0 | MFA, secure password storage | Implemented |
| Session hijacking | 7.2 | Secure cookies, short expiry | Implemented |
| Parameter tampering | 6.4 | Input validation, parameterized queries | Implemented |
| SQL injection | 9.0 | Parameterized queries, ORM | Implemented |
| Missing audit logs | 5.0 | Comprehensive audit logging | In Progress |
| Data exposure | 6.8 | Custom error pages, sanitized responses | Implemented |
| DDoS attack | 5.4 | Rate limiting, CDN, WAF | Partial |
| Broken access control | 8.4 | RBAC, authorization checks | Implemented |
Step 5: Validate and Review
- Review threat model with security team
- Verify mitigations are implemented
- Update model when system changes
- Track remediation of open items
Threat Modeling Templates
Threat Card Template
## Threat: [Threat Name]
**ID**: T-001
**Category**: [STRIDE Category]
**Component**: [Affected Component]
**Data Flow**: [Affected Data Flow]
### Description
[Detailed description of the threat]
### Attack Scenario
1. Attacker does X
2. This causes Y
3. Resulting in Z
### Impact
- Confidentiality: [High/Medium/Low]
- Integrity: [High/Medium/Low]
- Availability: [High/Medium/Low]
### DREAD Score
- Damage: X/10
- Reproducibility: X/10
- Exploitability: X/10
- Affected Users: X/10
- Discoverability: X/10
- **Total**: X.X
### Mitigations
| Control | Description | Status |
|---------|-------------|--------|
| [Control 1] | [Description] | [Status] |
### References
- [Related standards, CVEs, etc.]Common Threat Patterns
Authentication Threats
| Threat | Attack Vector | Mitigation |
|---|---|---|
| Credential Stuffing | Reused passwords from breaches | MFA, breach detection |
| Brute Force | Password guessing | Rate limiting, account lockout |
| Session Fixation | Forcing known session ID | Regenerate session on login |
| Token Theft | Stealing JWT/session token | Secure storage, short expiry |
Authorization Threats
| Threat | Attack Vector | Mitigation |
|---|---|---|
| Broken Object Level Auth | Direct object reference | Authorization checks on every request |
| Broken Function Level Auth | Missing role checks | RBAC enforcement |
| Mass Assignment | Modifying protected fields | Explicit field allowlists |
| Privilege Escalation | Exploiting role bugs | Least privilege, testing |
Data Threats
| Threat | Attack Vector | Mitigation |
|---|---|---|
| SQL Injection | Malicious SQL in input | Parameterized queries |
| NoSQL Injection | Malicious operators | Input validation, sanitization |
| Data Exposure | Verbose errors, logs | Sanitized responses, log filtering |
| Insecure Storage | Plaintext sensitive data | Encryption at rest |
Tools for Threat Modeling
| Tool | Type | Use Case |
|---|---|---|
| Microsoft Threat Modeling Tool | Desktop | STRIDE-based modeling |
| OWASP Threat Dragon | Web/Desktop | Open source, diagramming |
| IriusRisk | Enterprise | Automated threat analysis |
| Threagile | Code-based | Threat model as code |
| draw.io | Diagramming | DFD creation |
Threat Modeling for Compliance
FDA Requirements (Medical Devices)
- Document all identified threats
- Map threats to mitigations
- Include in Design History File (DHF)
- Update with design changes
HIPAA Requirements
- Focus on PHI data flows
- Document access controls
- Include in security risk assessment
- Annual review required
FedRAMP Requirements
- Map to NIST SP 800-53 controls
- Document in System Security Plan
- Include in security assessment
- Continuous monitoring updates
Best Practices
Do
- Include threat modeling in design phase
- Involve developers, security, and ops
- Update models when system changes
- Prioritize based on risk scores
- Document assumptions and trust boundaries
- Link threats to specific mitigations
Don't
- Skip threat modeling for "simple" features
- Create models and never update them
- Ignore threats because they seem unlikely
- Focus only on external attackers
- Treat threat modeling as a checkbox
- Keep models separate from development docs
Related Resources
- Security Overview
- Secure Coding
- Vulnerability Scanning
- Microsoft Threat Modeling Tool
- OWASP Threat Dragon
Compliance
This section fulfills ISO 13485 requirements for risk management (7.1) and design inputs (7.3.3), and ISO 27001 requirements for threat intelligence (A.5.7), risk assessment (A.5.8), and secure architecture (A.8.27).
How is this guide?
Last updated on