In this blog post, I will share the findings of my research in the field of threat modeling.
What Is Threat Modeling
Threat modeling is a process used to identify, assess, and address potential security threats and vulnerabilities in a system.
The STRIDE Model
There are numerous threat modeling methodologies, and the one I am interested in is the STRIDE model:
| Category | Description |
|---|---|
| Spoofing | Impersonating another user or device. For example, IP spoofing: altering the source IP address in a packet header to make it appear as though the packet is coming from a trusted source. |
| Tampering | Malicious modification of data. For example, altering the data as it flows between two computers over the internet. |
| Repudiation | User denies having performed an action. For example, a user denies making a billion dolar transaction, and the system lacks the evidence to prove the transaction was indeed made by the user. |
| Information Disclosure | exposure of information to individuals who are not supposed to have access to it. For example, users read a file that they were not granted access to. |
| Denial of service | Denial of service (DoS) attack |
| Elevation of Privilege | An unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. |
Tooling
There are many toolings for threat modeling and here are some of them:
Microsoft Threat Modeling Tool
Microsoft threat modeling tool is a free tool built by Microsoft. It is based on Data Flow Diagram.
This is the start page:
This is a basic example of threat model:
This is a basic report of threats:
Threat Dragon
Threat Dragon is a modeling tool built by OWASP - a non-profit foundation that works to improve the security of software.
This is the start page:
This is a demo example:
This is an example of the threats. Notice that you can select components and the tool will show you the potential threats:
IriusRisk
IriusRisk provides both a community and a commercial version of threat modeling tools.
They have a rich set of solutions:
They have great integrations:
and they have an AI assistant!
After reading their stories, I realized that the company was established in 2015!
Conclusion
Microsoft announced Secure Future Initiative (SFI) in November 2023, and since then the engineering team has put security above all else.
Since our engineers now need to deal with SFI a lot, it is important to improve the tooling experience for security related tasks.