Threat Modeling

Threat modeling is the process of thinking like an attacker before they act. The goal is to identify what can go wrong and act preventively.

Why Bother?

Fixing a security problem during design costs 30x less than in production. Modeling threats early saves time, money, and reputation.

The Four Steps

1. Identify Assets

What needs to be protected?

Examples of assets:
- Customer database
- API keys and secrets
- Source code
- Production servers
- Authentication data

2. Identify Threats (STRIDE)

STRIDE is a model created by Microsoft to categorize threats:

S — Spoofing           → impersonate another identity
T — Tampering          → alter data
R — Repudiation        → deny actions performed
I — Info Disclosure    → expose confidential data
D — Denial of Service  → make a service unavailable
E — Elevation of Privilege → gain more permissions

3. Identify Vulnerabilities

For each threat, what weakness does it exploit?

Threat: User Spoofing
Vulnerability: authentication without MFA, tokens without expiration

4. Define Controls

Which controls mitigate each vulnerability?

Vulnerability: token without expiration
Control: 15-min expiry + rotating refresh token

Data Flow Diagram (DFD)

Visualize how data moves through the system:

[User] → (HTTPS) → [API Gateway] → [Service] → [Database]
                        ↑
                  trust boundary: validate JWT here

Practical Tools

• OWASP Threat Dragon — free visual modeling
• Microsoft Threat Modeling Tool — STRIDE-based
• pytm — threat modeling as code (Python)

Expected Output

A document with: mapped assets, threats prioritized by risk, identified vulnerabilities, and planned controls. Reviewed at every significant architecture change.