Definition
There are many definitions.
The widely accepted one is: threat modeling is a process that can be used to analyze potential attacks or threats, and can also be supported by threat libraries or attack taxonomies.
They all have some shared properties:
- Used for securing software design.
- Assisting software engineers in identifying and documenting potential security threats.
- Supported by threat libraries.
And the common process is:
- The architecture of the system is represented and analyzed.
- Threats are identified and documented.
- Mitigation techniques are selected.
Types of threat modeling methods
Can be separated into:
- Manual modeling (majority): can be time-consuming and error-prone.
- Automatic modeling: some automatic approaches are not completely automatic.
And:
- Formal modeling: based on mathematical models.
- Graph modeling (majority): attack trees, attack graphs or tables (ex: STRIDE).
The form of threat modeling can be flexible:
- Some approaches combined both of manual and automatic modeling.
- Many approaches employed graphical modeling and combined with formal modeling.
Validation
The majority of approaches were validated through theoretical examples or empirical case studies.
Some other methods are qualitative methods or software simulations.
There is limited assurance of these validation methods.
The process
Is an iterative process because identifying threats at one attempt is almost impossible.
Also uncover threat in non-security elements, example: user interface, business logic, etc.
Future research directions
- Automatic threat modeling
- Validation of threat modeling: validating how usable the approach is for intelligence analysts.
- Implement threat modeling as a software tool.
- Derive new attack categories: the framework must be continuously updated in the future.