Overview
Threat modeling is the process of identifying, understanding, and strategizing against potential vulnerabilities in a system. It is used across both software development (as part of Secure SDLC) and penetration testing (to understand a system’s risks before testing). A threat model is typically represented as a diagram — similar to a data flow diagram — but with a security-oriented design. Elements marked in red indicate potential vulnerabilities, risks, or trust boundaries.The CIA Triad
The CIA Triad forms the foundation of most security measures and threat modeling methodologies:Confidentiality
Ensuring data or systems are not accessed by unauthorized individuals. Requires access controls, encryption, and data classification.
Integrity
Accuracy, consistency, and trustworthiness of data over its lifecycle. Involves checksums, hashing, and data verification.
Availability
Ensuring data and services are accessible to authorized users when needed. Requires redundancy, fault tolerance, and high-availability configurations.
Threat Modeling Methodologies
STRIDE (Microsoft)
STRIDE (Microsoft)
An acronym for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Used during the design phase to systematically identify threat categories.
| Threat | Description |
|---|---|
| Spoofing | Impersonating another user or system |
| Tampering | Modifying data or code |
| Repudiation | Denying an action took place |
| Information Disclosure | Exposing data to unauthorized parties |
| Denial of Service | Making a resource unavailable |
| Elevation of Privilege | Gaining unauthorized higher access |
DREAD (Microsoft)
DREAD (Microsoft)
A risk-scoring methodology for identified threats. Each factor is scored and combined to prioritize threats:
- Damage potential
- Reproducibility
- Exploitability
- Affected users
- Discoverability
PASTA (Process for Attack Simulation and Threat Analysis)
PASTA (Process for Attack Simulation and Threat Analysis)
A seven-step risk-centric methodology:
- Define security objectives
- Identify technical scope
- Application decomposition
- Threat analysis
- Vulnerability analysis
- Attack modeling
- Risk and triage assessment
Trike
Trike
A risk-based methodology that starts from a risk management perspective and examines threats and vulnerabilities in terms of asset defense.
VAST (Visual, Agile, and Simple Threat Modeling)
VAST (Visual, Agile, and Simple Threat Modeling)
Designed to integrate into Agile development environments. Combines elements from other methodologies and emphasizes visual representations of threats.
OCTAVE (CERT Coordination Center)
OCTAVE (CERT Coordination Center)
Focused on organizational risk assessment rather than specific systems or software. Geared toward understanding risk in the context of mission and business objectives.
Threat Modeling Tools
OWASP Threat Dragon
An open-source web and desktop application for creating threat models with system diagrams and auto-generated threat/mitigation rules.Build Your Diagram
Add entities using the drag-and-drop editor:
- Process — A service, function, or application component (e.g., web server)
- Actor — A person or external system (e.g., website visitor, administrator)
- Data Flow Line — Indicates data movement between components
- Trust Boundary — Network segments or security zones
- Store — Databases or file systems where data is persisted
Add Threats
Select a component layer and create threats. Note: Actor threats only support Spoofing and Repudiation, while Process threats support all STRIDE categories.
SpiderSuite
SpiderSuite is an advanced cross-platform GUI web spider/crawler for attack surface mapping. Use it to crawl target applications and generate data flow inspiration for your threat model:- Input a target URL and start crawling.
- View the generated graph of discovered endpoints and relationships.
- Use the crawl results to identify trust boundaries and data flows for your threat model.
Microsoft Threat Modeling Tool
A free tool from Microsoft that finds threats in the design phase using the STRIDE methodology. Particularly suitable for teams developing on Microsoft’s stack. Download: https://aka.ms/threatmodelingtoolWhen to Use Threat Modeling
During Software Development
As part of the Secure Software Development Life Cycle (SSDLC), threat modeling in early design phases prevents costly security fixes later.
Before Penetration Testing
The PTES (Penetration Testing Execution Standard) requires threat modeling to understand system vulnerabilities and scope before conducting tests.
During Architecture Reviews
Use threat models to communicate security risks to engineers and stakeholders, and to document security decisions.
After Incidents
Update threat models after security incidents to capture newly discovered attack vectors and validate that controls address root causes.