Quiz Entry - updated: 2026.07.14
What are two common tools for threat modeling in requirements engineering?
The Microsoft Threat Modeling Tool and OWASP Threat Dragon — both let you draw DFDs and surface threats systematically with STRIDE.
-
Microsoft Threat Modeling Tool (2016)
- Free tool from Microsoft
- Helps identify threats using STRIDE methodology
- Generates threat reports from DFD diagrams
-
OWASP Threat Dragon
- Open-source threat modeling tool
- Web-based application
- Supports creating threat models with DFD notation
- Part of the OWASP project ecosystem
Both tools help systematically identify security threats during the requirements and design phases.
STRIDE Methodology (used by Microsoft TMT):
| Threat | Property Violated | Example |
|---|---|---|
| Spoofing | Authentication | Fake login page |
| Tampering | Integrity | Modified data in transit |
| Repudiation | Non-repudiation | Denying a transaction |
| Information Disclosure | Confidentiality | Data leak |
| Denial of Service | Availability | Overloading server |
| Elevation of Privilege | Authorization | User becomes admin |
When to threat model: Early! During requirements and design - fixing security issues here is 10-100x cheaper than in production.
Go deeper:
Microsoft Threat Modeling Tool — the SDL tool's STRIDE-per-element guided analysis.
OWASP Threat Modeling Cheat Sheet — Threat Dragon and the Microsoft tool alongside the four threat-modeling questions.
Threat model (Wikipedia) — the STRIDE categories and how a DFD-based threat model is built.