Threat Modeling (Bedrohungsmodellierung)
A structured process for systematically identifying security threats in software development or IT architecture. STRIDE, PASTA, and DREAD are the best-known methods. Goal: To identify security vulnerabilities before code is written.
Threat Modeling is the systematic analysis of security threats—ideally during the design phase, before any code is written. It answers four fundamental questions:
- What are we building? (Understanding the system)
- What could go wrong? (Identifying threats)
- What will we do about it? (Planning countermeasures)
- Have we done a good job? (Validation)
STRIDE – Microsoft’s Threat Classification
STRIDE is the best-known threat modeling framework. Each letter represents a threat category:
| Letter | Threat | Affects... | Example |
|---|---|---|---|
| S | Spoofing | Authenticity | Attacker impersonates an admin |
| T | Tampering | Integrity | Manipulating database entries |
| R | Repudiation | Non-repudiation | "I never made that transaction" |
| I | Information Disclosure | Confidentiality | SQL injection reads all customer data |
| D | Denial of Service | Availability | 100,000 requests → Server overloaded |
| E | Elevation of Privilege | Authorization | Normal user becomes admin |
Applying STRIDE - Example Login Form
Component: Login Form with Database
| STRIDE | Threat | Countermeasure |
|---|---|---|
| S (Spoofing) | Attacker impersonates another user | MFA, secure session tokens |
| T (Tampering) | Password hash manipulated in database | DB user has no UPDATE privileges on user table |
| R (Repudiation) | User denies successful logins | Audit log with timestamp, IP, user agent (unchangeable) |
| I (Information Disclosure) | SQL injection exposes all password hashes | Parameterized queries, least privilege DB account |
| D (Denial of Service) | 10,000 login attempts/second → Server overloaded | Rate limiting, CAPTCHA after X attempts |
| E (Elevation of Privilege) | Regular user accesses admin pages | Server-side auth check on EVERY admin endpoint |
PASTA - Process for Attack Simulation and Threat Analysis
PASTA is more risk-based and business-oriented than STRIDE:
- Define Objectives: Define business impact—what is worth protecting?
- Technical Scope: System diagrams, data flows, trust boundaries
- Application Decomposition: DFDs (Data Flow Diagrams), component inventory
- Threat Analysis: Which threat actors? APT, insiders, script kiddies?
- Vulnerability Analysis: Identify vulnerabilities in the system
- Attack Modeling: Attack trees for each threat
- Risk Analysis: Risk = Probability × Business Impact
DREAD - Risk Scoring
DREAD rates identified threats on a scale of 1–10:
| Letter | Criterion | Question |
|---|---|---|
| D | Damage | How severe is the damage? |
| R | Reproducibility | How easy is it to reproduce? |
| E | Exploitability | How easy is it to exploit? |
| A | Affected Users | How many are affected? |
| D | Discoverability | How easy to find? |
Example: SQL injection on login form: Damage 9, Reproducibility 10, Exploitability 8, Affected Users 10, Discoverability 7 → DREAD Score: 44/50 = critical.
Threat Modeling in Practice
Microsoft Threat Modeling Tool
Free tool from Microsoft:
- Graphical DFD creation
- Automatic STRIDE threat identification
- Recommendations for countermeasures
- Export reports
OWASP Threat Dragon
Open-source alternative:
- Web-based or desktop
- GitHub integration
- STRIDE-based
When to Perform Threat Modeling?
Early in the SDLC:
- For new features during design review
- Before starting implementation (2 hours can save weeks of rework)
- When making architectural changes
Regularly:
- Update annually for existing systems
- After penetration testing: Update the threat model
- After security incidents: What did we overlook?
Threat modeling is the most cost-effective security mechanism: A 2-hour workshop during the design phase can identify vulnerabilities that would cost thousands of euros to fix in a penetration test.
