Threat Modelling: Proactively Identifying Security Risks
Threat modelling is a structured approach to identifying, understanding, and mitigating security threats during the design phase of a system — before any code is written. It shifts security left by asking "what could go wrong?" at the point where changes are cheapest to make.
The STRIDE Framework
STRIDE is a widely-used threat modelling methodology that categorises threats by type:
- Spoofing: Can an attacker impersonate another user or system?
- Tampering: Can an attacker modify data in transit or at rest?
- Repudiation: Can an attacker deny performing an action (insufficient logging)?
- Information Disclosure: Can an attacker access information they shouldn't?
- Denial of Service: Can an attacker make the system unavailable?
- Elevation of Privilege: Can an attacker gain more permissions than they should have?
Threat Modelling Process
- Decompose the system: Create a data flow diagram showing components, data flows, and trust boundaries
- Identify threats: For each element and data flow, identify applicable STRIDE threats
- Analyse threats: Score by likelihood and impact using DREAD or CVSS
- Mitigate: For each significant threat, define mitigations to implement
- Validate: Confirm mitigations are implemented
When We Use It
We perform threat modelling during architecture design for new systems and when significant new features introduce new data flows or trust boundaries. The output is a threat register that feeds into security requirements.