threat modeling

last edited Thu, 07 Mar 2024 20:02:48 GMT
backlinks: null


A method where security attributes of an existing system are identified to understand security threats and potential mitigation. The overall process involves organizing and analyizing critical details involving the system's infrastructure. The process can be repeated as the system evolves and changes over time. [1]

Threat modeling consists of asking ourselves 4 key questions; What are we working on? What can go wrong? What are we going to do about it? And, did we do a good enough job? [2]

Threat Modeling in 5 Steps [3] Identify assets, threats, and vulnerabilities prior to building the threat model. Databases, software, ann hardware can all be assets. Perform the following steps for each asset.

  1. identify your security objectives
  2. create an application overview detailing users, input/output
  3. decompose the application and underlying behavior using a data flow diagram (DFD)
  4. identify threats from data collected in step 2 and 3
  5. identify vulnerabilties

Methodology direct link to this section

DREAD direct link to this section

Classification that results in a numerical value used to measure amount of risk with each threat. Result is a value 0-10.

Risk Score = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY)

STRIDE direct link to this section

Used by Microsoft's threat modeling tool and by OWASP's Threat Dragon.

Threat Category Violation
spoofing authenticity
tampering integrity
repudiation non-repudiability
information disclosure confidentiality
denial of service availability
elevation of privileges authorization

OCTAVE direct link to this section

Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology, focuses on organizational risk.[4] The methodology is qwll documented to an overwhelming degree.

PASTA direct link to this section

Process for Attack Simulation and Threat Analysis

  1. Define Business Objectives
  2. Define Tech Scope
  3. App Decomposition
  4. Threat Analysis
  5. Vulnerability Detection
  6. Attack Enumeration
  7. Risk/Impact Analysis

Real World Examples direct link to this section

Libreserver's project has it's own threat model.

Secure Drop direct link to this section

Secure Drop's threat model is extremely robust because of the adversaries it faces by design [5]. There are many assumptions made about the source, administrator and journalist, and any individual installing Secure Drop.

Signal Messenger direct link to this section

Details on Signal's assumed threat model is analyzed in various papers.[6] See Docker.[7]


  1. OWASP ↩︎

  2. Threat Modeling Manifesto ↩︎

  3. Infosec Institute ↩︎

  4. OCTAVE Implementation Guide ↩︎

  5. Secure Drop ↩︎

  6. A Formal Security Analysis of the Signal Messaging Protocol ↩︎

  7. Docker Threat Model ↩︎