Category:Threat Modeling

Revision as of 08:06, 26 September 2006 by Jeff Williams (Talk | contribs)

Jump to: navigation, search

This category should be used to tag articles that are related to threat modeling.


The term "threat modeling" has become quite popular recently. Microsoft has published a book about their process and includes threat modeling as a key activity in their Secure Development Lifecycle (SDL).

A threat model is essentially a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through security glasses.

Threat modeling is a process for capturing, organizing, and analyzing all of this information. Threat modeling enables informed decision-making about application security risk. In addition to producing a model, typical threat modeling efforts also produce a prioritized list of security improvements to the concept, requirements, design, or implementation.

Threat Modeling Across the Lifecycle

Threat modeling can be applied at any stage of a project in order to get a handle on security. The process is essentially the same at different levels of abstraction, although the information gets more and more granular throughout the lifecycle. Ideally, a high-level threat model should be defined in the concept or planning phase, and then refined throughout the lifecycle. As more details are added to the system, new attack vectors are created and exposed. The ongoing threat modeling process should examine, diagnose, and address these threats.

Note that it is a natural part of refining a system for these new threats to be exposed. For example, when you select a particular technology -- such as Java for example -- you take on the responsibility to identify the new threats that are created by that choice. Even implementation choices such as using regular expressions for validation introduce potential new threats to deal with.

Understanding the generic threat modeling process is important, and the steps are described below. But it may be more helpful to examine the threat modeling process at particular lifecycle stages, using specific terms and artifacts that are available at that stage.

Threat Modeling - Generic Steps

For a threat to an application to exist, there must be:

  • a threat agent
  • a viable attack
  • a vulnerability not blocked by a countermeasure
  • a negative impact to the business

To understand whether an application is secure enough or not, you have to search out combinations of these ingredients that lead to realistic threats. The real trick to threat modeling is not wasting time on threats that are too unlikely or too inconsequential. Beware threat modeling processes that are inefficient about pruning the search space of possible threats to eliminate threats that are very unlikely or have minimal impact.

There is no "right" way to evaluate the search space of possible threats. But there are "wrong" ways. Attempting to evaluate all the possible combinatations of threat agent, attack, vulnerability, and impact is a waste of time and effort. Note that many of the automated tools take this approach - gathering lots of data and producing thousands of possible threats. Generally it is more productive to focus on finding high likelihood and high impact threats.

The basic threat modeling process consists of the following generic steps. The process of exploring the search space is iterative and constantly refined based on what you have done so far. So, for example, starting with all possible vulnerabilities is usually pointless, as most of them are not attackable by the threat agents, protected by a safeguard, or do not lead to a conseequence. Therefore, it's generally best to start with the factors that make a lot of difference.

  • Identify assets and capabilities to be protected - The first step is always to understand what's on the line. Identifying tangible assets, like databases of information or sensitive files is usually easy. Understanding the capabilities provided by the application and valuing them is more difficult. Less concrete things, such as reputation and goodwill are the most difficult to measure, but are often the most critical.
  • Identify existing countermeasures - Threat modeling is best viewed as an ongoing process throughout the lifecycle. Each iteration should take into account the countermeasures already in place from the last round.
  • Identify threat agents and possible attacks - A key part of the threat model is a characterization of the different groups of people who might be able to attack your application. These groups should include insiders and outsiders, performing both inadvertent mistakes and malicious attacks.
  • Identify exploitable vulnerabilities -
  • Evalute severity of identified threats - asdf
  • Identify countermeasures to reduce threat - asdf


Done right, threat modeling provides a clear "line of sight" across a project that justifies security efforts. The threat model allows security decisions to be made rationally, with all the information on the table.

The threat modeling process naturally produces an assurance argument that can be used to explain and defend the security of an application. An assurance argument starts with a few high level claims, and justifies them with either subclaims or evidence.

The alternative to threat modeling is to guess about security decisions and wonder whether you are making the right investment in security.