The process of threat modeling can vary based on multiple factors. However, in general, the threat modeling process can be broken down into the following steps:
- Identification of security objectives: Before we actually get started with threat modeling, it is absolutely important to understand the objectives behind doing the threat modeling exercise. It may be possible that there are certain compliance or regulatory requirements that need to be addressed. Once the driving factors are understood, it becomes easier to visualize probable threats during the process.
- Identification of assets and external factors/dependencies: Unless we know precisely what are we trying to protect, it just won't be possible to enumerate threats. Identifying assets helps build a basis for further modeling processes. Assets need protection from attackers and may need to be prioritized for countermeasures. There's also a need to identify any possible external entity or dependency that may not be directly part of the system but still may pose a threat to the system.
- Identification of trust zones: Once the assets and external dependencies have been identified, the next step is to identify all entry points and exit points along with the trust zone. This information can be effectively used to develop data flow diagrams with trust boundaries.
- Identification of potential threats and vulnerabilities: Threat modeling techniques, such as STRIDE (discussed in the upcoming section), can give a brief idea about common threats impacting the given system. Some examples could be XSS, CSRF, SQL injection, improper authorization, broken authentication, and session management vulnerabilities. It is then required to identify and assess system areas that are more prone to risks, for example, insufficient input validation, inappropriate exception handling, lack of audit logging, and so on.
- Documentation of threat models: Threat modeling isn't a one-time activity; rather, it is an iterative process. Comprehensive documentation of threats after each iteration is extremely important. Documentation can provide architects with a good reference on probable threats that need to be considered while designing a system and also allows them to think about possible countermeasures. Developers can also refer to the threat modeling documentation during the development phase in order to explicitly handle certain threat scenarios.