The Art of Threat Modeling

18 September 2014

Currently I am very busy with hardening of complex applications. As a starting point I develop a threat model of the application system.

Threat models are powerful tools in the design phase of the software development process. They are the basis for the security design of systems and applications. From the threat model vulnerabilities could be identified and mitigation measures could be designed.

If the threat model is refined in the further development process it could be used for verification, validation and test case creation.

To develop a threat model for an existing application system is a complex communication task. In most cases people of different organizations within a company, e.g. IT operations or application development, must be involved.

However, the main challenge is to develop a complete model to find all potential vulnerabilities and risks. Let me clarify this by the means of a simplified model of the web application.

A simplified web application is built of an application service and some data stores. The user communicates through an internet browser with the application service. The application service stores data in a database and on a file share. Thus the building blocks are two data stores, an application process and the browser process on the client computer. In addition we have one data flow from the users browser to the application service and two data flows from the application service to the data stores.

Threat Model Simplified 3 Tier Application System

Threat Model Simplified Three Tier Application System

The picture above shows this simplified threat model created with Microsoft Threat Modeling Tool 2014 (TMT). TMT uses the STRIDE threat model as a basis for threat identification. STRIDE is an acronym for

Spoofing identity,
Tampering with data,
Information disclosure,
Denial of Service and
Elevation of privilege.

This are commonly used threat categories.

Unfortunately our model is not complete. An attacker would try to bypass the application to get direct access to the data stored in the database and the file share. Thus we have to add two applications and two data flows to our simplified model:

Threat Model Simplified 3 Tier Application System Ext.

Threat Model Simplified Three Tier Application System Extended

TMT generates for each object depending on the object type, e.g. database, application or data flow, threats from the STRIDE categories. This is the main advantage of TMT over manual threat creation because you can focus on the design of mitigation measures.

Threat Model Three Tier System Mitigation

Threat Model Three Tier System Mitigation

You can download TMT from Microsoft download center.