Threat modelling as design

A threat model is a structured representation of all information that affects the security of an application. It captures what an attacker might do, why they might do it, and which controls reduce the risk. It is a living document, not a one-time deliverable.

The OWASP Threat Modeling Cheat Sheet (2023 update) articulates four questions that every threat model must answer:

1. What are we building?
2. What can go wrong?
3. What are we going to do about it?
4. Did we do a good enough job?

The sequence matters. Teams that skip question one jump straight to threat lists without understanding their own system. Teams that skip question three produce impressive threat inventories that no one acts on. Threat modelling is most valuable at design time but remains useful after deployment: a post-deployment model helps teams triage incoming vulnerability reports and assess the blast radius of a newly discovered CVE entry.

Microsoft developed STRIDE in the late 1990s as part of the Security Development Lifecycle (SDL). Each letter names a threat category mapped to a violated security property:

• S: Spoofing violates authentication
• T: Tampering violates integrity
• R: Repudiation violates non-repudiation
• I: Information Disclosure violates confidentiality
• D: Denial of Service violates availability
• E: Elevation of Privilege violates authorisation

STRIDE is applied per element in a Data Flow Diagram (DFD). Each process, data store, data flow, and external entity is examined against all six categories. Consider a web login endpoint that issues a JWT and stores session state server-side. Spoofing: credential stuffing or phishing; mitigate with MFA and account lockout. Tampering: modifying the JWT payload to change user role; mitigate with RS256-signed tokens and server-side signature verification. Information Disclosure: error messages revealing whether a username exists; mitigate with generic error messages. Elevation of Privilege: manipulating the session to gain admin access; mitigate with server-side authorisation checks on every request.

An attack tree is a hierarchical diagram where the root node represents the attacker's goal and child nodes represent means of achieving it. AND nodes require all children to succeed; OR nodes require only one. Attack trees were formalised by Bruce Schneier in a 1999 article in Dr. Dobb's Journal.

They complement STRIDE by showing how threats combine into attack paths rather than treating each threat in isolation. For a web login form, the attacker's goal of "authenticate as a victim user" branches into three independent paths: steal credentials (via phishing, credential stuffing, or keylogger), bypass authentication (exploit an auth logic flaw), or hijack an active session (via XSS token theft, network interception, or session fixation). Defence-in-depth means eliminating or raising the cost of every branch, not just the most obvious one.

STRIDE is security-focused. LINDDUN, developed by researchers at KU Leuven and first published in 2014, applies the same element-by-element analysis to privacy threats. The seven categories are: Linkability (connecting data points to infer identity), Identifiability (determining who a record belongs to), Non-repudiation in the privacy context (inability to deny data was shared), Detectability (inferring that a data subject is in a dataset), Disclosure of information, Unawareness (users not knowing how their data is used), and Non-compliance (processing that violates applicable law).

In 2018, researchers demonstrated that anonymised transaction datasets from a major European bank could be re-identified with 90% accuracy using just four background facts. A LINDDUN analysis of the analytics pipeline would have flagged Linkability at the data export stage and prompted k-anonymity or differential privacy before releasing datasets. LINDDUN is especially relevant for teams working under UK GDPR Article 25 (Privacy by Design and Default).

The OWASP Threat Modeling Cheat Sheet (2023 update) and NIST SP 800-154 both endorse a four-step iterative process.

Step 1: Decompose the application. Produce a Data Flow Diagram showing all processes, data stores, external entities, and the data flows connecting them. Mark trust boundaries: the lines where data crosses privilege or network zones. Microsoft's Threat Modeling Tool automates DFD creation and suggests threats per element type.

Step 2: Identify threats. Apply STRIDE to each DFD element. For privacy-sensitive systems, run LINDDUN in parallel. Record every threat in a structured register with: threat ID, category, affected element, description, and current mitigations.

Step 3: Rank threats. Use a scoring method such as DREAD or CVSS Base Score to assign numeric severity. Prioritise by risk equals likelihood times impact. High-severity unmitigated threats become immediate backlog items. Avoid ranking threats by gut feel: two engineers examining the same threat list routinely reach different priority orderings without a scoring method.

Step 4: Mitigate and validate. For each ranked threat, select one response: eliminate the feature, mitigate with a control, transfer via contract or insurance, or accept and document. After implementing mitigations, re-run the model to confirm severity has reduced.