Final Documentation
The very act of producing threat trees will result in either graphical or textural documentation of that process. The documentation of the STRIDE and DREAD analysis is equally important in communicating the threat model of the system in question. A recommended approach for documenting the STRIDE and DREAD analysis would be to pull the root threats from the threat tree and place them on a spreadsheet with columns for each element of STRIDE and DREAD—much like Table 5 and Table 6—identifying each element as it applies to the root threat.
A summary document (see Table 7) is also recommended to encompass all the threat analysis results. Elements captured in this summary document should include:
- ID: This should be a unique identifier which can be referenced in other textural and graphical documentation.
- Name: This is the root threat from the threat tree that describes the item being evaluated.
- STRIDE Elements: This lists the full description of the STRIDE elements that apply to the item being evaluated.
- DREAD Rating: This lists the DREAD ratings for the item being evaluated.
- Threat Tree: This provides either the graphical or textural representation of the item being evaluated. The documentation often begins at the sub-threat level since the item being evaluated is the root threat.
- Mitigation: This provides either the action(s) taken or the recommended action(s) to be taken to eliminate the threat.
- Risk Appetite: If the threat is to be left unmitigated, documenting the risk appetite evaluation is valuable.
Table 7. Summary Document: For the sample music CD library system, here's one possible summary document format:
ID |
1.0 |
Name |
View Confidential Member Data |
STRIDE |
Denial of Service |
DREAD Rating |
Damage Potential: 1 of 3 |
Reproducibility: 1 of 3 |
Exploitability: 1 of 3 |
Affected Users: 1 of 3 |
Discoverability: 1 of 3 |
Threat Tree |
Insert threat tree here, or make document reference. |
Mitigation |
Insert mitigation details, or make document reference. |
Risk Appetite |
Insert risk appetite details, or make document reference. |
After following the threat modeling process described in this article, you'll have completed a formal review process that identifies and evaluates system vulnerabilities. Knowing
how an adversary might attempt to attack a system is critical to building a strong defense. Identifying vulnerabilities during the development stage of the system is always the most opportune; but you can perform the threat modeling process any time during the system's lifecycle.