What is threat modeling ❓ Definition, Methods, Example

Ivan Novikov
12 min readFeb 2, 2022

Threat modeling is a method for upgrading the security of an application, system, or business process by distinguishing objections and weaknesses, just as carrying out countermeasures to stay away from or alleviate the impacts of structure dangers.

Threat modeling supports recognizing the security prerequisites of a system or association — whatever is basic, touchy, or contains significant information. It’s a nitty-gritty and efficient strategy for recognizing possible dangers and shortcomings with the goal that the danger to IT assets is kept up with to a base. It likewise helps IT chiefs in grasping the effect of dangers, surveying their importance, and executing shields.

Threat modeling process

Danger displaying’s comprehensive person comes from the way that it includes more than essentially software engineers. You’ll require input from the accompanying partners to make a successful danger model.

  • Define safety requirements

You should initially conclude what you need to accomplish with this movement prior to utilizing danger displaying devices and systems. Objectives are generally made in view of the accompanying measures:

Privacy is important to shield information from unapproved revelation.

The ability to keep away from unapproved information changes is known as respectability.

Regardless of whether the framework is under attack, the ability to offer basic administrations isn’t imperiled.

Make a rundown of your accessibility and execution administration level arrangements (SLAs). How proprietary advantages and licensed innovation treat need to ensure? The main inquiry now is how long and cash you need to contribute to danger demonstrating.

  • Identify the likely threats

This stage involves ordering a rundown of the multitude of parts that make up your framework. An all around reported framework of your whole application can help with the accelerating of the system. This should be visible being used cases, information streams, information blueprints, and sending charts. There are two sorts of representations you can make.

Information stream graph: It portrays how your information ought to go through your framework. At the functional level, it shows where information enters and leaves every part, just as information stores, cycles, connections, and trust limits.

Stream diagram of the cycle: It shows how clients collaborate with each other and progress through different use cases. It’s at the level of the application. PFDs center around client and outsider collaborations with your framework, though DFDs center around the way that your framework works inside. You can use it is possible that one or both simultaneously.

It’s an ideal opportunity to continue on to danger evaluation since you’ve distinguished the main players and resources in your application.

  • Threat Assessment

You made the charts to fathom your framework in the past stage. To get a handle on the genuine perils, you’ll have to concentrate on these designs in this stage. Now, you should decide the various techniques where your resources can be compromised, just as the personality of any expected assailants. This can be cultivated in an assortment of ways. In the accompanying part, we’ll go through the six most normal danger evaluation demonstrating procedures.

  • Mitigating Threats

You’ll wind up with an expert rundown or library of dangers connected with every resource and its activities, just as a rundown of imminent aggressor profiles, whenever you’ve completed the process of recognizing dangers. You should now figure out which of these perils your application is presented to. Consider the model introduced in the principal part of this article. You’ll see that the danger was ‘beast power secret word hacking,’ while the framework weakness was ‘utilizing MD5 techniques to store passwords.’ After you’ve recognized your weaknesses, you’ll have to evaluate the dangers associated with every one. You can address the weaknesses in the accompanying ways in view of the danger examination:

  1. Nothing ought to be done (too generally safe or too hard to even consider conveying the related intimidation)
  2. Eliminate the usefulness that is connected to it.
  3. Diminish the convenience of the component or turn it off.
  4. Acquire new code, foundation, or plan upgrades.
  5. You’ll likewise monitor weaknesses that will be settled in ongoing releases
  • Confirmation of threat mitigation

You check assuming that all weaknesses have been settled during approval. Have each of the risks been killed? Is it conceivable to have a rundown of the leftover dangers? From that point onward, you should settle on the following measures to deal with the dangers that have been distinguished, just as the date for the following danger displaying cycle. Remember that danger displaying is a ceaseless cycle. It should be done at customary stretches or at specific stages during the improvement of the application.

Why is it important to do this?

Any program or framework should be worked to be impervious to assaults. Notwithstanding, deciding the security norms needed to achieve this may be troublesome. Engineers and clients think and act uniquely in contrast to assailants.

Danger displaying is an essential way to deal with distinguishing dangers that aren’t typically assessed or found through code surveys or different kinds of reviews. It empowers a task group to conclude the security controls an application need, just as how to execute viable countermeasures against possible dangers and handle issues rapidly. This system brings about extensively safer applications, and assets are appropriately used by focusing on anticipated dangers.

Danger models are a significant perspective in the production of a viable security framework. Engineers can install security into an undertaking during the turn of events and upkeep stages when danger demonstrating is essential for the DevOps cycle. This takes out continuous oversights including neglecting to really take a look at input, having helpless validation, not taking care of mistakes appropriately, and not encoding information.

What are the popular threat modeling techniques?

  • Stride threat model

STRIDE has been applied to both digital just and digital actual frameworks with incredible achievement. STRIDE is not generally kept up with by Microsoft, despite the fact that it is as yet utilized as a feature of the Microsoft Security Development Lifecycle (SDL) with the Threat Modeling Tool. Microsoft fostered a comparable system called DREAD (harm potential, reproducibility, exploitability, impacted clients, discoverability), which is likewise a memory aide (harm potential, reproducibility, exploitability, impacted clients, discoverability) however adopts an alternate strategy to assess dangers.


  • PASTA threat modeling

In 2012, the Process for Attack Simulation and Threat Analysis (PASTA) was set up as a danger driven danger demonstrating worldview. It is a seven-venture, assault driven technique that considers business sway examination and consistence prerequisites while connecting specialized necessities with business targets.


The LINDDUN structure (linkability, recognizability, nonrepudiation, perceptibility, exposure of data, ignorance, rebelliousness) is an information security system. LINDDUN is a six-venture framework for assessing protection that follows an orderly methodology.

The framework DFD, which depicts the information streams, information stores, cycles, and outer elements of the framework, is the initial phase in LINDDUN. Clients of LINDDUN recognize the pertinence of a danger to the framework and produce danger trees by emphasizing over every single model component and breaking down them from the danger classifications’ point of view.

  • Attack Trees

On digital-only frameworks, digital actual frameworks, and simply actual frameworks, utilizing assault trees to reproduce dangers is one of the most seasoned and most widely utilized systems. At first utilized as an independent technique, assault trees have now been combined with different strategies and systems.

Assault trees are tree-like representations that depict assaults on a framework. The assault’s motivation is to go to the tree root, and the leaves are courses to arrive. Every objective is portrayed just like own tree. Because of the framework danger investigation, a bunch of assault trees is created.

  • TRIKE threat model

Trike is a security reviewing framework that utilizes danger displaying as a strategy. It looks at danger displaying from both a danger the executives and a cautious point of view.

Trike, in the same way as other different methodologies, starts by characterizing a framework. By listing and appreciating the framework’s entertainers, resources, anticipated activities, and rules, the investigator makes a prerequisite model. This stage assembles an entertainer resource activity framework, with resources in the sections and entertainers in the lines.

Every grid cell is isolated into four pieces, one for every CRUD activity (making, perusing, refreshing, and erasing).


The OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) procedure is a danger based system for assessing and planning network safety techniques. The SEI’s CERT Division made it in 2003, and it was refreshed in 2005. OCTAVE is a danger evaluation strategy that spotlights on hierarchical rather than mechanical dangers. The three principle parts are functional danger, security rules, and innovation.

  1. Make resource based danger profiles. (This is an assessment of the organization.)
  2. Decide the foundation’s weakness. (This is a glance at the information framework.)
  3. Set up a security methodology and plan. (Dangers to the association’s vital resources and direction are perceived.)
  • VAST

ThreatModeler, a mechanized danger displaying stage, is the establishment for the Visual, Agile, and Simple Threat (VAST) Modeling procedure. Its adaptability and convenience empower it to be executed across the full foundation of enormous organizations to produce noteworthy and reliable outcomes for some partners.

Huge requires the formation of two kinds of models: application danger models and functional danger models, to represent contrasts in tasks and worries among improvement and foundation groups. Process-stream charts are utilized in application danger models to portray the engineering perspective. DFDs are utilized to foster functional danger models according to the assailant’s point of view. This approach permits VAST to be incorporated into the turn of events and DevOps lifecycles of the association.

  • Persona non Grata

Persona non Grata (PnG) is a game with regards to human aggressors’ inspirations and capacities. It marks clients as models who could manhandle the framework, constraining investigators to think about the framework from an accidental utilize point of view. Figure 5 shows a few models.

PnG can support the perception of dangers according to the foe’s viewpoint, which is valuable in the beginning stages of danger displaying. The intention is to acquaint a specialized master with a potential framework assailant so the aggressor’s capacities, inspirations, and objectives might be analyzed. This study helps the master in understanding the framework’s shortcomings according to the assailant’s point of view. PnG is appropriate to the Agile procedure, which utilizes personas.

  • hTMM

In 2018, the SEI established the Hybrid Threat Modeling Method (hTMM). SQUARE, Security Cards, and PnG exercises are all important for it. No bogus up-sides, no ignored dangers, a predictable result paying little heed to who is doing the danger modelling, and expense adequacy are among the technique’s expected traits.

The strategy’s principle steps are as per the following:

  1. Figure out which framework will be danger demonstrated.
  2. Apply Safety Cards as per engineer advice.
  3. PnGs that are probably not going to happen ought to be taken out (i.e., there are no sensible assault vectors).
  4. Make a synopsis of the discoveries with the assistance of the device.
  5. Keep on utilizing a conventional course of hazard evaluation.
  • qTMM

This crossbreed approach agreeably incorporates assault trees, STRIDE, and CVSS. It endeavors to address a couple of key dangers displaying hardships for digital actual frameworks with complex interdependencies between their constituents.

For every one of STRIDE’s five danger classes, the Quantitative Threat Modeling Method (Quantitative TMM) begins by creating part assault trees. This movement exhibits the connections between assault sorts and low-level part credits. The CVSS strategy is then used to compute scores for the tree’s parts.‍

Benefits of Threat Modeling

Danger displaying can assist with legitimizing security endeavors by offering a reasonable view all through a product project when done viably. An organization can utilize the danger demonstrating strategy to record known application security concerns and settle on informed choices regarding how to deal with them. Leaders may somehow or another make rushed ends in light of next to zero proof.

Overall, a very much recorded danger model gives affirmations that are valuable in clarifying and guarding the security stance of an application or PC framework. Danger demonstrating is the best procedure to do the accompanying when the advancement organization is worried about security:

  • Find issues from the get-go in the product advancement life cycle (SDLC)- even before any coding happens.
  • Distinguish configuration gives that standard testing and code audits could miss.
  • Analyze new sorts of assault that you probably won’t have considered previously.
  • Assisting with focusing on testing and code audit can assist you with taking advantage of your testing financial plan.
  • Decide the security necessities.
  • Forestall exorbitant post-arrangement recoding by settling issues before programming is delivered.
  • Think about risks other than ordinary attacks, like security weaknesses explicit to your application.
  • Keep systems in front of the inner and outside aggressors who might be a danger to your applications.
  • To sort out what parts aggressors will target, feature resources, danger specialists, and controls.
  • To find potential assailants in association with the framework engineering, model the situation of danger specialists, intentions, abilities, and capacities.

Threat modeling tools

Danger demonstrating is a troublesome undertaking. There are a limitless number of expected dangers. Regardless of whether the task is little, it’s a good idea to utilize a danger displaying apparatus to set aside time and cash.

Danger demonstrating devices make the cycle more organized and reproducible by diminishing its intricacy. This eliminates the assets needed to assemble a danger model starting from the earliest stage and keep up with it over the long haul. A decent danger displaying apparatus permits clients to see, plan, plan for, and anticipate different dangers. Coming up next are probably the main characteristics to search for in an apparatus: danger insight stream to guarantee the most up to date distinguished dangers are assessed; danger dashboard with proposed relief arrangements; alleviation dashboard that interfaces with an issue tracker like Jira; and reports for consistence and partners.

Coming up next are the absolute most frequently utilized danger demonstrating instruments:


A free programming stage that actions the assault surface and approves plans for realized security defects and potential GDPR consistence issues utilizing insight about expected assaults.


A theoretical model danger demonstrating apparatus with versatile inquiries that lead the client through the application’s specialized plan, arranged elements, and security setting.

Microsoft Threat Modeling Tool.

The Microsoft Threat Modeling Tool is a program that assists you with demonstrating dangers. This free apparatus is planned for the individuals who aren’t security trained professionals. As a feature of Microsoft’s Security Development Lifecycle, it gives assistance on creating and breaking down danger models. It utilizes standard documentation to portray framework parts, information streams, and security zones, conveying it easy to distinguish intimidation types in view of the product’s construction.

Danger Dragon by OWASP.

This open source application is accessible as an on the web or work area application. It monitors possible dangers, decides moderation methodologies, and showcases danger model parts and danger surfaces to clients.

SD Elements.

This Security Compass apparatus accumulates and arranges framework information relying upon weaknesses, bringing about review prepared reports.


This is a free and open source coordinated advancement climate that incorporates danger demonstrating in the application codebase. It very well may be utilized as an order line application, a Docker holder, or a REST server.


Danger demonstrating is robotized locally, cloud security, and application security versions. Dangers are recognized, anticipated, and characterized, utilizing prebuilt engineering layouts to assist with coordination.


The danger demonstrating interaction should be revamped at whatever point the application, IT framework, or danger climate changes, no matter what whatever instrument is used. As new dangers arise, this keeps up with the danger model current.

Danger investigation takes time and exertion. It’s anything but an agenda work out, however it’s smarter to reveal and fix a weakness before programmers do, and danger demonstrating procedure is the best way to deal with make it happen.

Originally published at https://www.wallarm.com.



Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.