RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


A Practical Approach to Threat Modeling : Page 5

Protecting your systems requires more than just a firewall and a password; you need a documented process.

Final Documentation
The very act of producing threat trees will result in either graphical or textural documentation of that process. The documentation of the STRIDE and DREAD analysis is equally important in communicating the threat model of the system in question. A recommended approach for documenting the STRIDE and DREAD analysis would be to pull the root threats from the threat tree and place them on a spreadsheet with columns for each element of STRIDE and DREAD—much like Table 5 and Table 6—identifying each element as it applies to the root threat.

A summary document (see Table 7) is also recommended to encompass all the threat analysis results. Elements captured in this summary document should include:

  • ID: This should be a unique identifier which can be referenced in other textural and graphical documentation.
  • Name: This is the root threat from the threat tree that describes the item being evaluated.
  • STRIDE Elements: This lists the full description of the STRIDE elements that apply to the item being evaluated.
  • DREAD Rating: This lists the DREAD ratings for the item being evaluated.
  • Threat Tree: This provides either the graphical or textural representation of the item being evaluated. The documentation often begins at the sub-threat level since the item being evaluated is the root threat.
  • Mitigation: This provides either the action(s) taken or the recommended action(s) to be taken to eliminate the threat.
  • Risk Appetite: If the threat is to be left unmitigated, documenting the risk appetite evaluation is valuable.
Table 7. Summary Document: For the sample music CD library system, here's one possible summary document format:
ID 1.0
Name View Confidential Member Data
STRIDE Denial of Service
DREAD Rating Damage Potential: 1 of 3
Reproducibility: 1 of 3
Exploitability: 1 of 3
Affected Users: 1 of 3
Discoverability: 1 of 3
Threat Tree Insert threat tree here, or make document reference.
Mitigation Insert mitigation details, or make document reference.
Risk Appetite Insert risk appetite details, or make document reference.

After following the threat modeling process described in this article, you'll have completed a formal review process that identifies and evaluates system vulnerabilities. Knowing how an adversary might attempt to attack a system is critical to building a strong defense. Identifying vulnerabilities during the development stage of the system is always the most opportune; but you can perform the threat modeling process any time during the system's lifecycle.

John Magnabosco is a solution architect and co-owner of SolutionAvenue and is the current president of the Indianapolis Professional Association for SQL Server. John is also the co-founder of IndyTechFest, an annual technical conference held in Indianapolis. You can contact John through his web site.
Email AuthorEmail Author
Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date