Skip to content
SP StackPractices
ES
intermediate By StackPractices

Threat Modeling — A Practical Guide for Development Teams

A step-by-step guide to threat modeling: STRIDE, attack trees, data flow diagrams, and integrating security design review into your development process.

threat-modeling stride attack-trees data-flow-diagrams security-design risk-assessment guide
Topics: security architecture design

Note: This guide follows English-language naming conventions and terminology standards common in international development teams. Examples use English identifiers and comments to maximize compatibility across codebases and tooling.

Overview

Threat modeling is the process of identifying, communicating, and managing security threats in a system before a single line of code is written. By analyzing the architecture and data flows, teams can anticipate attacks and build mitigations into the design. It is one of the most cost-effective security activities because fixing vulnerabilities in design is orders of magnitude cheaper than fixing them in production.

When to Use

  • You are designing a new system or major feature
  • You are reviewing an existing architecture for security gaps
  • You need to communicate security risks to non-technical stakeholders
  • You are preparing for a security audit or compliance review

The Threat Modeling Process

Step 1: Decompose the Application

Create a Data Flow Diagram (DFD) showing how data moves through the system.

┌─────────┐      ┌─────────┐      ┌─────────┐      ┌─────────┐
│  User   │─────▶│   WAF   │─────▶│   API   │─────▶│   DB    │
│ Browser │      │ / CDN   │      │ Gateway │      │         │
└─────────┘      └─────────┘      └─────────┘      └─────────┘
      │                │                │                │
      │                │                │                │
   External        External         Internal        Internal
   Entity          Process          Process        Data Store
      │                │                │                │
      ▼                ▼                ▼                ▼
   Trust:            Trust:           Trust:          Trust:
   None              Low              High            High

Elements to identify:

  • External entities: Users, third-party systems, browsers
  • Processes: Applications, services, functions
  • Data stores: Databases, caches, file systems
  • Data flows: HTTP, gRPC, message queues, internal API calls
  • Trust boundaries: Where trust levels change (e.g., public internet to VPC)

Step 2: Identify Threats with STRIDE

ThreatDescriptionExample
SpoofingPretending to be someone elseStolen credentials, forged JWT
TamperingModifying data or codeMitM attack, supply chain poison
RepudiationDenying an actionNo audit logs for deletions
Information DisclosureExposing data to unauthorized partiesVerbose error messages, S3 bucket leaks
Denial of ServiceMaking the system unavailableDDoS, resource exhaustion
Elevation of PrivilegeGaining unauthorized accessExploiting a bug to become admin

For each element in the DFD, ask: how could STRIDE apply here?

Step 3: Determine Mitigations

ThreatMitigation
SpoofingMFA, certificate pinning, strong auth
TamperingTLS, code signing, input validation
RepudiationImmutable audit logs, digital signatures
Information DisclosureEncryption, least privilege, error sanitization
Denial of ServiceRate limiting, CDN, auto-scaling
Elevation of PrivilegeRBAC, sandboxing, principle of least privilege

Step 4: Validate and Iterate

  • Review the model with the full team (security, developers, operations)
  • Revisit the model when the architecture changes
  • Track mitigations as engineering tasks in your backlog

Attack Trees

Attack trees decompose a high-level attack goal into sub-goals, helping identify the path of least resistance for attackers.

Goal: Steal customer data

├── Compromise application server
│   ├── Exploit known vulnerability (CVE)
│   │   └── Mitigation: Patch within 24h
│   ├── SQL injection
│   │   └── Mitigation: Parameterized queries
│   └── Weak admin password
│       └── Mitigation: Enforce MFA

├── Access database directly
│   ├── Exposed database port
│   │   └── Mitigation: Security groups, no public access
│   └── Stolen credentials
│       └── Mitigation: Vault, short-lived credentials

└── Insider threat
    └── Mitigation: Audit logging, principle of least privilege

Tools and Templates

ToolPurpose
Microsoft Threat Modeling ToolCreate DFDs and apply STRIDE automatically
OWASP Threat DragonOpen-source threat modeling with team collaboration
PyTMPython-based threat modeling for programmatic generation
Mermaid / Diagrams.netCreate DFDs and attack trees

Integrating into Development

Sprint 0: Architecture Review

Conduct threat modeling during the design phase, before implementation begins.

Definition of Done

  • DFD created and reviewed
  • STRIDE threats identified for each trust boundary
  • Mitigations documented and added to the backlog
  • Security tests defined for each mitigation

Continuous Review

Revisit the threat model when:

  • New integrations or APIs are added
  • Trust boundaries change (e.g., new region, new vendor)
  • A vulnerability is discovered in a similar system

Common Mistakes

  • Threat modeling too late — after code is written, fixes are expensive
  • Only security team participates — developers know the system best
  • Treating the model as a one-time document — architectures evolve; so do threats
  • Ignoring insider threats — not all attackers are external
  • Focusing only on software — social engineering and physical access are valid threats

FAQ

How long does threat modeling take? A focused session for a single service takes 2-4 hours. Complex systems may need multiple sessions.

Do I need a security expert to facilitate? Helpful but not required. A developer trained in STRIDE can lead the session. External consultants can validate findings.

How do I prioritize threats? Use a risk matrix: likelihood × impact. Address high-likelihood, high-impact threats first. Document accepted risks for low-priority items.