Threat Modeling

Software Security: Identification of hitherto unidentified vulnerabilities in standard and individual software with the aid of Threat Modeling

In the traditional Software Development Cycle, measures to raise the security level are usually implemented shortly before or in some cases even after software delivery. Since approximately half of the bugs are caused by errors in design, the security measures should be implemented as early as before (requirements phase) or during the design phase.

Threat Modeling is a heuristic method supporting the methodological development of a trustworthy system draft and architecture during the design phase of software development: the costs of fixing bugs are still very low during this phase. The chart below is a graphical representation of the systematic process of Threat Modeling, which involves three steps:


At each stage of the process, the relevant actions are carried out; the aim of this is to specify the threat model in greater detail and to advance its further development.

Apart from that, already existing system drafts and architectures can be verified in order to identify, assess and fix vulnerabilities.

Technique/Method Used

After the components worth protecting (assets) and the relevant threats have been fully identified, the phase of identifying vulnerabilities starts with the analysis of the documentation (i.e. of the security design in particular) and the analysis of the program flow charts.

By analyzing the data flow charts, the system can be broken down into manageable parts for a vulnerability check. These trust boundaries are marked to be recognized as trustworthy or non-trustworthy components.

The aims include: understanding the security architecture, identifying the design flaws and minimizing the number of potential attack surfaces.