Threat Modeling

The primary goal of threat modeling is to proactively identify potential threats to a system before they can be exploited. These threats may stem from a variety of sources, including the system’s architecture, for example race conditions in asynchronous microservice calls, or dependencies on third-party services that could be compromised and leveraged in an attack.

To structure and deepen the analysis, combining methodologies such as the STRIDE model and Attack Trees can be highly effective. Together, these tools help break down complex systems into manageable components, guiding participants through a structured and comprehensive thought process during threat modeling sessions.

A key element of successful threat modeling is the involvement of developers and other relevant system stakeholders. These individuals possess deep knowledge of how systems are built and operate, making them essential contributors to identifying realistic threat scenarios. As organizations mature, the goal should be for development teams to take ownership of the threat modeling process. Achieving this level of maturity, however, requires consistent support, training, and well-defined processes led by the security team.

Creating the right environment is just as important as applying the right methodologies. People are more likely to contribute meaningful insights when they feel safe to speak openly. That’s why it’s essential to foster a relaxed, blame-free atmosphere where all participants understand that their input is valued and that there are no wrong answers. When contributors feel supported rather than scrutinized, they’re more likely to surface known issues or flag concerns that might otherwise go unspoken.

Once these discussions take place, it’s the responsibility of the security team to document the insights, validate the risks, and guide the implementation of mitigations or safety measures. By tapping into the collective knowledge of those who design, build, and maintain the system—and doing so in an inclusive and collaborative way—threat modeling becomes not only more accurate but also more impactful.

Outcome

• Theres a documented process of how to do threat modeling
• Threat models are integrated into the SDLC and done on a regular basis
• Discovered threats are reported into the vulnerability management program

Metrics

• Number of threat models done
• Percentage of projects covered with Threat Model
• Number of threats per project
• Average reported threats for projects
• Total reported threats
• Percentage of open/closed threats
• Average mean time to resolution
• Average mean time to resolution per project

Tools & Resources

• AWS Threat Composer (Free)
• ThreatDragon (Free)
• Microsoft Threat Modeling Tool (Free)
• Gram (Free)
• ThreatGPT (Free)
• Miro (Free/Paid)

Further Reading

• Threat Modeling Manifesto
• OWASP's Software Assurance Maturity Model
• Threat Modeling of Threat Modeling
• Maturing Your Threat Modeling Skills
• How to Approach Threat Modeling
• OWASP's Threat Modeling Playbook