Systems Playbook

Threat Modeling

Categories
Systems
Sources
Threat Modeling (Adam Shostack)

A structured practice for finding what can go wrong with a system before an adversary does. It is organized around four questions: what are we building, what can go wrong with it, what are we going to do about it, and did we do a good job? Structured enumerations such as STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) help answer the second question systematically instead of relying on imagination alone.

Why it Matters

Security flaws are cheapest to remove at design time and most expensive once shipped, yet they stay invisible if you only reason about how the system is meant to be used. Threat modeling forces the adversarial view, turning "it works" into "here is how it could be made to fail," and makes security a deliberate design activity rather than a scramble after a breach.

Signals

  • The team can name the assets, entry points, and trust boundaries of the system.
  • Threats are enumerated systematically, not brainstormed once, and each gets a decision (mitigate, accept, transfer, eliminate).
  • The model is revisited as the design changes, rather than produced once and filed away.

Benefits

Security defects found at design time, a shared map of where the system is exposed, explicit risk decisions, and a repeatable method that does not depend on having a security expert's intuition in the room.

Risks

Modeling to exhaustion and shipping nothing; a model produced once and never updated; confusing a threat list with a risk decision; over-relying on "think like an attacker," which is unreliable without structure.

Tensions

Thoroughness competes with delivery, and you cannot mitigate every threat, so threat modeling is inseparable from prioritization: deciding which risks are worth the cost to address and which to accept. Security also trades against usability and performance.

Examples

Walking a data-flow diagram and asking, at each trust boundary, how data crossing it could be spoofed or tampered with; deciding to mitigate elevation-of-privilege threats now and to formally accept a low-risk denial-of-service threat.