Threat modeling is a method for identifying possible vulnerabilities in an application's architecture in advance. It involves diagramming an application, identifying security flaws, and mitigating those flaws.
After reading this article you will be able to:
Related Content
Penetration testing
What is the OWASP Top 10?
Threat hunting
Threat intelligence
Web application security?
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Threat modeling is an exercise for finding security holes in an application and its environment. It involves creating a representation of an application with all its components, then identifying weak spots. Ideally, developers and security engineers use threat modeling throughout the software development process — before an application goes live, not just after. Threat modeling can help make an application much more secure than it would have been otherwise, but it should not be expected to make an application impregnable.
In heist movies, the lead characters often examine blueprints of the facility they plan to rob, figuring out weak points — where the building can be entered, the angles that security cameras cannot see, and so on. Similarly, threat modeling is like examining the given application's "blueprints." The difference is, threat modeling is done by persons who would like to keep the application secure, not the would-be robbers.
Threat modeling requires teams to create a complete view of the application. It then involves thinking like someone who might want to compromise the application. What would an attacker do? Would they perhaps take advantage of weak API security? Would they use a supply chain attack to infect an integrated system library? Although not all attacks can be anticipated, threat modeling helps stop some of them before they happen.
There are a lot of possible approaches to threat modeling, and no one method can be applied to every situation. But typically these four main steps are involved:
Threat modelers attempt to identify and depict:
If Terry writes a simple application that displays pictures of balloons, his diagram of the application could look as follows:
Note that this is a vastly simplified example, and a real threat modeling application diagram might be much more complex.
Seeing an application laid out in this way can make it easier to identify flaws. Terry, for instance, might notice that the communications between his database of balloon photos and his web server do not use Transport Layer Security (TLS). This means that neither server verifies the other's identity via digital signatures, making it possible for an attacker to impersonate the database server and send malicious content to the web server.
Since threat modeling takes place throughout the development process, mitigating flaws may mean either changing the plan for an application's architecture, or deploying a fix to an application build in progress.
To mitigate the threat he identified, Terry can reconfigure his database server and web server to use TLS for their connection — or better yet, to use mutual TLS (mTLS) and verify each other.
At this point, Terry might run the application in a test environment and check if 1) the servers use TLS as configured, and 2) if the web server will accept HTTP traffic from an unverified server instead of the database server. He would perform similar checks for any other mitigations he has applied.
A threat modeling methodology is an approach for identifying threats. Methodologies provide structure to the threat modeling process, which could otherwise be overwhelming in a complex system. Organizations can choose from a wide range of threat modeling methodologies, or even develop their own. A few of the most common methodologies include:
There are several other threat modeling methodologies as well. Some of them, such as "Trike" and the various hybrid methodologies, do not even have acronyms.
Threat modeling is intended to take place before and during software development, throughout an application's lifecycle. If an application is released without any threat modeling or mitigation, security flaws may be discovered by users — or attackers — before they are discovered by security teams. This can result in a data breach and introduces a greater risk of zero-day threats.
However, because threat modeling does not discover all risks within a system, developers and organizations should continue with this process even after release. In addition to threat modeling, they can do so by:
Cloudflare also offers a threat intelligence and operations service, Cloudforce One, to protect customers from the latest threats. Cloudforce One is led by a world-class threat research team that is highly experienced at disrupting global-scale attackers. Learn about Cloudforce One here.