LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you trace from a Use Case through threat analysis to a security requirement?

Use Case → DFD → STRIDE threats → Misuse Cases → DREAD rating → Mitigation Use Cases → a testable security requirement. Each step feeds the next.

End-to-end example — "User Login" Use Case:

Step Activity Result
1. Use Case Document "User Login" (actor, flow, preconditions) UC defined
2. DFD Draw data flow: Browser → Login Form → Auth Service → User DB Trust boundaries identified
3. STRIDE Apply to each DFD element crossing trust boundary Threats: Spoofing (fake credentials), Tampering (modified request), Info Disclosure (password leak)
4. Misuse Cases Create MUCs: "Brute Force Attack", "SQL Injection", "Credential Stuffing" MUCs documented
5. DREAD Rate each MUC: SQL Injection = D3+R3+E2+A3+D2 = 13 (High) Priorities set
6. Mitigations Create Mitigation UCs: "Input Validation", "Rate Limiting", "MFA" Security requirements derived
7. Requirements "The system SHALL enforce rate limiting after 5 failed login attempts" Testable requirement

Why this process works: Each step builds on the previous one. You start with what the system should do (UC), identify what could go wrong (STRIDE/MUC), prioritize risks (DREAD), and derive specific, testable security requirements (Mitigations).

See: OWASP Threat Modeling Cheat Sheet

From Quiz: SPRG / Repetition and Review | Updated: Jul 14, 2026