Application Security
Threat Modeling
Also known as: Architectural risk analysis
Definition
A structured analysis that identifies the assets, threats, vulnerabilities and mitigations of a system so security can be designed in rather than bolted on.
Threat modeling is a collaborative engineering practice in which architects, developers and security engineers reason about how a system could be attacked. It produces a decomposition of the application (data flow diagrams, trust boundaries, assets), enumerates threats using frameworks such as STRIDE, PASTA or LINDDUN, and proposes countermeasures with priorities derived from risk ratings like DREAD or CVSS. Done early in the SDLC, threat modeling shifts security left and is significantly cheaper than fixing flaws after release. The output is typically a living document or model that is updated whenever architecture, dependencies or trust boundaries change.
Examples
- STRIDE workshop on a new payments microservice that identifies a missing authentication check between two internal APIs.
- Data flow diagram review revealing an untrusted webhook crossing a trust boundary without signature verification.
Related terms
STRIDE Model
STRIDE Model — definition coming soon.
DREAD Model
DREAD Model — definition coming soon.
Secure Software Development Lifecycle (SSDLC)
A development lifecycle in which security activities are embedded into every phase, from requirements and design through coding, testing, release and operations.
Abuse Case
Abuse Case — definition coming soon.
Misuse Case
Misuse Case — definition coming soon.
Security Requirements
Security Requirements — definition coming soon.