Threat Modeling - Identifying Risks by Design
About 2 min read
Threat modeling is a security design methodology that systematically identifies potential threats to a system or application at the design stage, prioritizes them, and applies countermeasures. By structurally analyzing "what to protect," "who the attackers are," and "where the weaknesses lie," it can dramatically reduce security defects discovered in later development phases. The cost of fixing a vulnerability after it is found in production is said to be 30 to 100 times that of the design stage, making threat modeling a highly cost-effective preventive measure.
Historical Background
The concept of threat modeling began in the late 1990s when Microsoft systematized it as part of its internal Security Development Lifecycle (SDL). After the 2002 "Trustworthy Computing" declaration, Microsoft incorporated threat modeling as a mandatory process in the development of Windows and Office, and published its results as the STRIDE model. Since then, OWASP and NIST have also adopted threat modeling into their respective frameworks, establishing it as an industry-standard design methodology.
The STRIDE Model
STRIDE is a threat classification framework developed by Microsoft, formed from the initials of six threat categories.
Spoofing. Breaking through authentication using someone else's ID.
Tampering. Illegitimately altering data or communication content.
Repudiation. Erasing evidence of an action and denying having performed it.
Information disclosure. Access to data without authorization.
Denial of service. Rendering the system unavailable.
Elevation of privilege. Illegitimately obtaining higher privileges.
DREAD Scoring
After classifying threats with STRIDE, DREAD quantitatively assesses the severity of each threat. It scores five items, each on a scale of 1 to 10: Damage (the magnitude of harm), Reproducibility, Exploitability (the ease of attack), Affected Users (the number of users impacted), and Discoverability (the ease of discovery), then determines priority by the total score. However, DREAD has been criticized for being prone to subjective evaluation, and Microsoft itself now recommends using it together with CVSS (Common Vulnerability Scoring System).
The PASTA Framework
PASTA (Process for Attack Simulation and Threat Analysis) is a seven-stage framework that analyzes business risks and technical threats in an integrated manner. It starts with defining business objectives, then proceeds to identifying the technical scope, application decomposition, threat analysis, vulnerability analysis, attack simulation, and risk and impact analysis. Whereas STRIDE is a classification tool for engineers, PASTA is characterized by functioning as a common language between management and engineers.
Data Flow Diagrams and Trust Boundaries
Data flows that cross trust boundaries are the key focus of threat analysis
At the core of threat modeling is the data flow diagram (DFD). It visualizes the flow of data within a system and makes the trust boundaries explicit. A trust boundary is the dividing line between regions with different security levels, such as the boundary between the internet and an internal network, or between the application layer and the database layer. Because the attack surface concentrates on these trust boundaries, each STRIDE threat is examined for every data flow that crosses a boundary.
Integration into the Development Lifecycle
Threat modeling is not a task confined to the design phase alone. In agile development, the threats of new features are assessed every sprint, and the existing threat model is updated. An approach that incorporates SAST (static analysis) and DAST (dynamic analysis) into the CI/CD pipeline to automatically verify whether the risks identified in the threat model are addressed at the implementation level is also spreading. The ideal cycle is to plan a defense-in-depth design at the threat modeling stage and verify its effectiveness through red team exercises.
Real-World Use Cases
"When we conducted a STRIDE analysis during the design review of a new payment feature, we found an elevation-of-privilege threat in the API's authorization check. Because we were able to fix it at the design stage, we avoided an estimated remediation cost of 4 million yen had it been discovered after implementation. Now we require threat modeling in the design of every feature."
We explain building an organization's security posture in detail in the startup security checklist, designing a password policy in the corporate password policy article, and ransomware countermeasures in the ransomware protection article.threat modeling books on Amazon are also helpful for improving your design process.
Was this article helpful?