2.4.1. Threat Modeling Methodologies
💡 First Principle: Threat modeling structures the process of identifying what can go wrong with a system before building it — turning ad hoc vulnerability thinking into a repeatable engineering discipline. The right methodology depends on the system type, the team's expertise, and whether the primary concern is technical attacks, business process threats, or both.
STRIDE — Developed by Microsoft; most widely used for software and system threat modeling. Six threat categories form the acronym:
| STRIDE Category | What it attacks | CIA Pillar | Example |
|---|---|---|---|
| Spoofing | Authentication | Authenticity | Impersonating a legitimate user or system |
| Tampering | Integrity | Integrity | Modifying data in transit or storage |
| Repudiation | Accountability | Nonrepudiation | Denying you performed an action |
| Information Disclosure | Confidentiality | Confidentiality | Reading data you shouldn't |
| Denial of Service | Availability | Availability | Making a system unavailable |
| Elevation of Privilege | Authorization | Confidentiality/Integrity | Gaining permissions above your authorization |
PASTA (Process for Attack Simulation and Threat Analysis) — Seven-stage, risk-centric methodology that aligns technical threat analysis with business objectives. Produces a risk-based threat profile. Heavier than STRIDE but better for enterprise risk alignment.
DREAD — Qualitative rating model (Damage, Reproducibility, Exploitability, Affected users, Discoverability). Scores each threat to prioritize remediation. Deprecated by Microsoft but still referenced in training.
Attack Trees — Graphical representation of how an attacker achieves a goal (root node) through a hierarchy of sub-goals (branches). Very effective for analyzing complex multi-step attacks. Complements STRIDE (STRIDE finds threats; attack trees model how they're executed).
VAST (Visual, Agile, and Simple Threat) Modeling — Designed for Agile teams at scale; integrates into CI/CD. Two types: application models for development teams, operational models for infrastructure.
Threat modeling in the SDLC: The earlier in the development lifecycle, the cheaper the fix. A design-phase threat finding costs ~$14 to fix. The same finding in production costs ~$100 or more. This is the core argument for shift-left security.
⚠️ Exam Trap: Threat modeling is not vulnerability scanning. Vulnerability scanning finds existing weaknesses in deployed systems. Threat modeling identifies potential weaknesses in designs before implementation. Both are needed; neither substitutes for the other.
Reflection Question: A development team is building a new API that handles financial transactions. They have two weeks before the design is frozen. Which threat modeling methodology would you recommend, and what specific STRIDE categories are most critical for a financial transaction API?
