What is Threat Modeling and what is its purpose?
Systematically asking "what can go wrong and what will we do about it?" — answered through four questions: what are we building, what can go wrong, what do we do, did we do it well.
* Threat-modeling iteration loop — decompose the architecture, find threats and vulnerabilities, design mitigations, then iterate on the architecture. *
* The four threat-modeling questions — what are we building, what can go wrong, what do we do about it, did we do a good enough job. *
Threat Modeling is the structured practice of identifying what can go wrong with a system and how to prevent it, before attackers find out for you.
It answers four key questions:
- What are we building? - Understand the system
- What can go wrong? - Identify threats
- What are we going to do about it? - Define mitigations
- Did we do a good job? - Validate the model
Why do it:
- Find security issues before they become vulnerabilities
- Make informed decisions about acceptable risk
- Create actionable security requirements from threats
When: Primarily during the design phase, but revisited as the system evolves.
Reference: Adam Shostack, "Threat Modeling: Designing for Security", Wiley 2014
Go deeper:
Threat Modeling Manifesto — the four questions, plus values and principles.
OWASP Threat Modeling Cheat Sheet — the four questions with practical guidance.