Threat Modeling for Developers: STRIDE, PASTA & DREAD with Practical Examples
What Is Threat Modeling?
Threat modeling is the structured process of identifying security threats, understanding attack surfaces, and designing mitigations — before writing code. It's where you answer: "What can go wrong?"
Microsoft's Data: Internal Microsoft research found that threat modeling at the design phase prevented 64% of security bugs that would otherwise have been found (expensively) during penetration testing or post-release.
When to Threat Model
| Trigger | Example |
|---|---|
| New feature design | Adding payment processing |
| Architecture change | Migrating to microservices |
| New integration | Adding third-party API |
| Security incident | Post-breach analysis |
| Compliance requirement | GDPR data processing assessment |
| Periodic review | Quarterly or per-release |
STRIDE: The Most Popular Framework
STRIDE was developed by Microsoft and categorizes threats into 6 types:
| Category | Threat | Question | Typical Mitigation |
|---|---|---|---|
| Spoofing | Identity falsification | Can someone pretend to be someone else? | Strong authentication, MFA |
| Tampering | Data modification | Can data be changed in transit or at rest? | Digital signatures, checksums, HTTPS |
| Repudiation | Denying actions | Can a user deny performing an action? | Audit logging, digital signatures |
| Information Disclosure | Data leakage | Can unauthorized users see data? | Encryption, access controls |
| Denial of Service | System disruption | Can the system be made unavailable? | Rate limiting, redundancy, CDN |
| Elevation of Privilege | Gaining unauthorized access | Can a user escalate their permissions? | RBAC, input validation, sandboxing |
STRIDE Applied: User Authentication System
System: Login page → API → Database → Session management
Spoofing:
Threat: Attacker uses stolen credentials
Mitigation: MFA, rate limiting, impossible travel detection
Tampering:
Threat: Session token modified to change user ID
Mitigation: Signed JWTs, server-side session validation
Repudiation:
Threat: User denies making a purchase
Mitigation: Immutable audit log with timestamps and IP
Information Disclosure:
Threat: Password hashes exposed via API
Mitigation: Never return password fields, use Argon2id
Denial of Service:
Threat: Credential stuffing overwhelms login endpoint
Mitigation: Rate limiting (5/min), CAPTCHA after 3 failures
Elevation of Privilege:
Threat: Regular user accesses admin panel
Mitigation: Server-side role checks on every request
PASTA: Process for Attack Simulation and Threat Analysis
PASTA is a risk-centric methodology with 7 stages:
| Stage | Activity | Output |
|---|---|---|
| 1. Define Objectives | Business objectives, compliance requirements | Security objectives document |
| 2. Define Technical Scope | Architecture diagrams, data flows | Technical scope document |
| 3. Application Decomposition | DFDs, trust boundaries, entry points | Decomposition diagram |
| 4. Threat Analysis | Threat intelligence, attack patterns | Threat library |
| 5. Vulnerability Analysis | CVEs, weaknesses, scan results | Vulnerability list |
| 6. Attack Modeling | Attack trees, abuse cases | Attack scenarios |
| 7. Risk Analysis & Management | Risk rating, mitigation priorities | Risk treatment plan |
DREAD: Threat Scoring
DREAD scores each threat on 5 dimensions (1-10 scale):
| Dimension | Question | Score Guide |
|---|---|---|
| Damage | How severe is the impact? | 10 = complete system compromise |
| Reproducibility | How easy to reproduce? | 10 = every time, no special conditions |
| Exploitability | How easy to exploit? | 10 = automated tool, no skill required |
| Affected Users | How many users impacted? | 10 = all users |
| Discoverability | How easy to discover? | 10 = publicly known, Google-findable |
Score Interpretation:
- 40-50: Critical — Fix immediately
- 30-39: High — Fix this sprint
- 20-29: Medium — Plan for next cycle
- 10-19: Low — Backlog
Data Flow Diagram Template
┌──────────────┐ HTTPS ┌──────────────────┐
│ Browser │ ─────────────────────► │ API Gateway │
│ (External) │ ◄───────────────────── │ (Trust boundary) │
└──────────────┘ └────────┬─────────┘
│
┌────────────┴────────────┐
│ │
┌─────▼──────┐ ┌──────▼──────┐
│ Auth │ │ Business │
│ Service │ │ Logic │
│ (Internal) │ │ (Internal) │
└─────┬──────┘ └──────┬──────┘
│ │
┌─────▼──────┐ ┌──────▼──────┐
│ User DB │ │ Data Store │
│ (Secrets) │ │ (PII) │
└────────────┘ └─────────────┘
Trust boundaries to analyze:
- Browser ↔ API Gateway (public internet)
- API Gateway ↔ Internal services (network boundary)
- Services ↔ Databases (data access boundary)
Threat Modeling Checklist
- Identify all entry points (APIs, webhooks, file uploads, event sources)
- Map data flows (where does sensitive data travel?)
- Define trust boundaries (where do security contexts change?)
- Apply STRIDE to each component and data flow
- Score threats using DREAD
- Identify mitigations for high-risk threats
- Document accepted risks with justification
- Review threat model when architecture changes
Further Reading
- OWASP Threat Modeling — Methodology guide
- Microsoft (2024), "Threat Modeling Tool" — Free threat modeling application
- Shift-Left Security — Security at design time
- OWASP Proactive Controls — Developer security practices
Advertisement
Free Security Tools
Try our tools now
Expert Services
Get professional help
OWASP Top 10
Learn the top risks
Related Articles
OWASP Top 10 2025: What's Changed and How to Prepare
A comprehensive breakdown of the latest OWASP Top 10 vulnerabilities and actionable steps to secure your applications against them.
Building a Security Champions Program: Scaling Security Across Dev Teams
Security teams can't review every line of code. Security Champions embed security expertise in every development team. This guide covers program design, champion selection, training, metrics, and sustaining engagement.
The Ultimate Secure Code Review Checklist for 2025
A comprehensive, language-agnostic checklist for secure code reviews. Use this as your team's standard for catching vulnerabilities before they reach production.