Management, compliance & auditing

Understanding the Role of Threat Modeling in Risk Management

Yassine Aboukir
February 28, 2018 by
Yassine Aboukir

The increasing number of new security threats, breaches and regulations that have taken place in the past years has moved the process of threat modeling from an interesting theoretical concept into a necessary measure that should be incorporated in the software development life cycle (SDLC). Our challenge is to establish a strategy to identify and prioritize new threats before malicious entities use them to their advantage.

What Is Threat Modeling?

Threat modeling is something that people incorporate in their daily life without even realizing it. For example, a child determining the best road to reach their destination without being bullied along the way is threat modeling.

Within information security, threat modeling is a structured approach and process aiming to analyze the security of an application. The process starts with the identification of all entry points, and follows with enumeration and prioritization all the potential threats associated with each asset or entry point. The ultimate goal is to mitigate all these threats and prevent any future attacks.

Organizations have also started incorporating threat modeling in their own SDLC to ensure their applications are developed with built-in security measures. Microsoft has adopted this approach, which is the reason we have witnessed an increase in the security of their products.

What Is the Role of Threat Modeling in Risk Management?

Risk management is a central concern for every organization and one which executives take seriously. Risk can take different forms and originate from either inside or outside the organization. IT security is amongst one of the concerns that drive strategy at large corporations, including the risk of non-compliance, data breaches, infrastructure outages, legal penalties and more.

Information security regulations are now more strict than ever. They are heavily focused on risk management and putting controls in place to prevent potential threats. The General Data Protection Regulation (GDPR), for example, was approved by the EU parliament to strengthen data protection regulations. Noncompliant organizations can face massive fines. This is where threat modeling comes into play to address all the underlying sub-threats and root causes of higher-level threats.

Threat modeling, combined with risk management, should give answers to the question of who will attack your own systems, and how or where the attack will originate from. Threat modeling will provide valuable insights on IT risks facing organizations, and then outline necessary measures and sufficient controls to stop the threat before it becomes effective.

What Are the Types Threat Modeling Methodologies?

Threat modeling is a structured process, so it follows a certain set of rules, or what we would call a methodology. There is a number of methodologies available for implementation but the popular ones you should know include:

1. STRIDE

STRIDE is a threat model initially developed by Microsoft in 1999. The classification focuses more on the attacker's goals, including:

  • Spoofing of user identity
  • Tampering
  • Repudiation
  • Information disclosure.
  • Denial of service (D.o.S)
  • Elevation of privilege

Below is a table with a list of generic threats and the related security controls.

(Source: OWASP)

2. The Process for Attack Simulation & Threat Analysis (PASTA)

PASTA is a risk-oriented methodology that attempts to connect business objectives and technical requirements. PASTA methodology is a process which consists of seven stages aiming to provide a dynamic process ranging from identification, enumeration to scoring.

3. Trike

This methodology is frequently used as a risk management tool during security audits. Trike framework relies on the requirements model which defines the acceptable level of risk with respect to stakeholders input. The resulting threat model generally contains all the enumerated threats, along with risk scores. Trike is also used to describe the security characteristics of a given system from its high-level to low-level architecture.

4. Visual, Agile & Simple Threat Modeling (VAST)

The present VAST methodology came into light mainly to address the limitations and shortcomings of other threat methodologies. The principle of VAST methodology is the importance of scaling the threat modeling process across infrastructure and the SDLC, and also achieving a seamless integration into an agile software development methodology. VAST aims to provide valuable and actionable insights to various involved parties including senior executives, developers and security professionals.

What Are Data Flow Diagrams?

Information gathered during the process will be modeled by the use of data flow diagrams (DFD). These should provide a better overview, or visual presentation, of the application in scope as a whole, as well as to how data is processed and moved. These diagrams are structured in a hierarchical way to decompose the application into subsystems. DFDs use a number of conventional representations and symbols in threat modeling. These are explained below (Source: OWASP).

External Entity: Used to represent external entities that interact with the application via an entry point.


Process: Refer to a task that handles data within the application. The task may process the data or perform an action based on the data.

Multiple Process: Used to present a collection of subprocesses.

Data Store: Used to represent locations where data is stored.

Data Flow: Represents data movement whose direction is represented by the arrow.

Privilege Boundary: Used to represent the change of privilege levels as the data flows through the application.



Example of data flow diagram for the College Library Website (Source: OWASP)

What are Process Flow Diagrams?

Process flow diagrams (PFD) provide a visualization which is more focused on how a user flows through different features of the application rather than how the data flow. Process flow diagrams involve decomposing the application into various features or use cases (e.g., sign-in, sign-up, article publishing, comment posting, etc.) as well as defining all communication protocols (HTTP, HTTPS, etc.) that allow users to browse through features. As a result, the identification of potential threats and the appropriate security controls needed to correct them should be an easy process since the model was constructed from the perspective of user interaction.

Example of process flow diagram of a shopping website (Source: ThreatModeler)

What Are Some Popular Threat Modeling Tools?

There are a number of tools you can use during a threat modeling assignment:

  • Microsoft Threat Modeling: This tool is widely used in threat modeling. Its interface should allow non-security experts to still construct models. The tool provides guidance while drawing models, and supports integration of Stride methodology, reporting, etc. The tool is more focused on software and design analysis instead of focusing on asset.
  • ThreatModeler: This is an enterprise threat modeling software that is based on the Visual, Agile, Simple, Threat (VAST) modeling methodology. It provides collaborative modeling functionality involving all stakeholders, as well as an intuitive, easy-to-use interface which allows security and non-security experts to construct threat models.
  • Irius Risk: This is another tool with an integrated console to manage application security threats throughout the SDLC.
  • SD Elements: SD Elements is a software security requirements management platform that exclusively provides automated threat modeling capabilities.

In the end, it is important to erase the common misconception that information security is mainly a network problem. The fact is, over 70% of the security vulnerabilities exist at the application layer, hence the importance of threat modeling and regular application security testing.

Yassine Aboukir
Yassine Aboukir

Yassine ABOUKIR (@yassineaboukir) is a security analyst at HackerOne by day, ethical hacker by night, actively participating in bug bounty programs. Acknowledged and rewarded by numerous companies including but not limited to Google, Facebook, Microsoft and Twitter etc. for his various responsible security disclosures. He is reachable at: hello@yassineaboukir.com & https://yassineaboukir.com/