Threat modeling methodologies, such as STRIDE, VAST, and TRIKE, are systematic approaches used to identify, understand, and manage potential threats to a system. Threat modeling methodologies aid in the design of robust security measures by prioritizing risks based on their potential impact and likelihood of occurrence.
The overwhelming number of new threats added daily to cyber ecosystems has moved threat modeling from a theoretically interesting concept into a current information security standard. As threat modeling methodologies evolve, security professionals are recognizing the importance of choosing the right threat modeling methodology for an organization’s specific challenges, plus the rise of new threats that present themselves throughout a software development lifecycle.
Threat Modeling Methodology Features
From a theoretical perspective, each threat modeling technique and methodology provides security teams and organizations with the means to identify threats and may be seen on equal footing. However, on a practical level, threat modeling methodologies vary in quality, consistency, and value received for the resources invested.
Let’s dive a bit deeper into a few common threat modeling methodologies to better understand their strengths and weaknesses.
OCTAVE (Practice Focused)
The Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology[1] was one of the first created specifically for cybersecurity threat modeling. Developed at Carnegie Mellon University’s Software Engineering Institute (SEI) in collaboration with CERT, OCTAVE threat modeling methodology is heavy-weighted and focused on assessing organizational (non-technical) risks that may result from breached data assets.
Using this threat modeling methodology, an organization’s information assets are identified and the datasets they contain receive attributes based on the type of data stored. The intent is to eliminate confusion about the scope of a threat model and reduce excessive documentation for assets that are either poorly defined or are outside the purview of the project.
Though OCTAVE threat modeling provides a robust, asset-centric view, and organizational risk awareness, the documentation can become voluminous. OCTAVE lacks scalability – as technological systems add users, applications, and functionality, a manual process can quickly become unmanageable.
This method is most useful when creating a risk-aware corporate culture. The method is highly customizable to an organization’s specific security objectives and risk environment.
Trike Threat Modeling (Acceptable Risk Focused)
Trike threat modeling is a unique, open source threat modeling process focused on satisfying the security auditing process from a cyber risk management perspective.[2] It provides a risk-based approach with unique implementation, and risk modeling process. The foundation of the Trike threat modeling methodology is a “requirements model.” The requirements model ensures the assigned level of risk for each asset is “acceptable” to the various stakeholders.
With the requirements model in place, the next step in Trike threat modeling is to create a data flow diagram (DFD). System engineers created data flow diagrams in the 1970s to communicate how a system moves, stores and manipulates data. Traditionally they contained only four elements: data stores, processes, data flows, and interactors.
The concept of trust boundaries was added in the early 2000s to adopt data flow diagrams to threat modeling. In the Trike threat modeling methodology, DFDs are used to illustrate data flow in an implementation model and the actions users can perform in within a system state.
The implementation model is then analyzed to produce a Trike threat model. As threats are enumerated, appropriate risk values are assigned to them from which the user then creates attack graphs. Users then assign mitigating controls as required to address prioritized threats and the associated risks. Finally, users develop a risk model from the completed threat model based on assets, roles, actions and threat exposure.
However, because Trike threat modeling requires a person to hold a view of the entire system to conduct an attack surface analysis, it can be challenging to scale to larger systems.
P.A.S.T.A. Threat Modeling (Attacker Focused)
The Process for Attack Simulation and Threat Analysis is a relatively new application threat modeling methodology.[3] PASTA threat modeling provides a seven-step process for risk analysis which is platform insensitive. The goal of the PASTA methodology is to align business objectives with technical requirements while taking into account business impact analysis and compliance requirements. The output provides threat management, enumeration, and scoring.
The PASTA threat modeling methodology combines an attacker-centric perspective on potential threats with risk and impact analysis. The outputs are asset-centric. Also, the risk and business impact analysis of the method elevates threat modeling from a “software development only” exercise to a strategic business exercise by involving key decision makers in the process.
PASTA threat modeling works best for organizations that wish to align threat modeling with strategic objectives because it incorporates business impact analysis as an integral part of the process and expands cybersecurity responsibilities beyond the IT department.
This alignment can sometimes be a weakness of the PASTA threat modeling methodologies. Depending on the technological literacy of key stakeholders throughout the organization, adopting the PASTA methodology can require many additional hours of training and education.
STRIDE Threat Modeling (Developer Focused)
STRIDE stands for Spoofing Tampering Repudiation Information Message Disclosure Denial of Service and Elevation of Privilege. Microsoft’s threat modeling methodology – commonly referred to as STRIDE – aligns with their Trustworthy Computing directive of January 2002.[4] The primary focus of that directive is to help ensure that Microsoft’s Windows software developers think about security during the design phase.
The STRIDE threat modeling goal is to get an application to meet the security properties of Confidentiality, Integrity, and Availability (CIA), along with Authorization, Authentication, and Non-Repudiation. Once the security subject matter experts construct the data flow diagram-based threat model, system engineers or other subject matter experts check the application against the STRIDE threat model classification scheme.
This methodology is both well documented and well known owing to Microsoft’s significant influence in the software industry and their offering of Microsoft TMT.
VAST Threat Modeling (Enterprise Focused)
The Visual, Agile, and Simple Threat modeling (VAST) methodology was conceived after reviewing the shortcomings and implementation challenges inherent in the other threat modeling methodologies. The founding principle is that, in order to be effective, threat modeling must scale across the infrastructure and entire DevOps portfolio, integrate seamlessly into an Agile environment and provide actionable, accurate, and consistent outputs for developers, security teams, and senior executives alike.
A fundamental difference of the VAST threat modeling methodology is its practical approach. Recognizing the security concerns of development teams are distinct from those of an infrastructure team, this methodology calls for two types of threat models.
VAST: Application Threat Models
Application threat models for development teams are created with process flow diagrams (PFD). Process flow diagrams map the features and communications of an application in much the same way as developers and architects think about the application during an SDLC design session.
VAST: Operational Threat Models
Operational threat models are designed for the infrastructure teams. Though more similar to traditional DFDs than application threat models, the data flow information is presented from an attacker – not a data packet – perspective. By relying on PFDs rather than DFDs, VAST threat models do not require extensive systems expertise.
Uniquely addressing both developer and infrastructure team concerns allows organizations to incorporate threat modeling as a part of their DevOps lifecycle with different outputs for various key stakeholders.
The most significant difference of the VAST threat modeling methodology, however, is its ability to allow organizations to scale across thousands of threat models. The pillars of a scalable threat modeling practice – automation, integration, and collaboration – are foundational to VAST threat modeling. As the organization matures and new threats arise, these pillars help to develop a sustainable self-service threat modeling practice driven by the DevOps teams rather than the security team.
Learn more: Threat Modeling Methodologies: What is VAST?
Choosing the Right Threat Modeling Methodology
Desired outputs should govern an organization’s choice of threat modeling methodology. While all threat modeling methodologies may be capable of identifying potential threats, the number and type of threats identified will vary significantly, as will the quality, consistency, and value received from those threat models. The challenge, however, is to purposefully choose a threat modeling methodology based on the desired outcomes rather than to simply settle for what everyone else is doing.
At the enterprise level, the ability to scale across hundreds or even thousands of threat models certainly should be considered. If an organization is to invest significant resources in an enterprise threat modeling initiative, then the capacity to generate relevant financial and productivity reports that sync with C-Suite financial reporting may be desirable. If reducing the organization’s overall threat profile, attack surface, and risk portfolio are important, then so too is the ability to measure and track the effectiveness of the threat modeling in achieving these goals.
ThreatModeler is a leading automated threat modeling platform and service provider dedicated to helping organizations gain holistic visibility into their attack surface to implement mitigation strategies and tackle unique security needs. Our platform is trusted by industry giants to expose weaknesses and vulnerabilities across operational infrastructure and software applications, resulting in stronger enterprise security.
Strengthen your security measures with a modern threat modeling system and dedicated support from security experts. Request a demo with our experts today.
Common FAQs About Threat Modeling Methodology:
What is threat modeling in the context of cybersecurity?
Threat modeling is a structured approach used by security professionals to identify and assess potential threats and vulnerabilities in an organization’s cyber ecosystem, typically throughout the software development lifecycle.
What factors should be considered when choosing a threat modeling methodology?
Factors to consider include the organization’s specific challenges, desired outcomes, scalability requirements, and alignment with strategic objectives.
What is the OCTAVE threat modeling methodology?
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a practice-focused methodology that emphasizes assessing organizational risks resulting from breached data assets. It provides an asset-centric view and organizational risk awareness but may lack scalability.
How does Trike threat modeling differ from other methodologies?
Trike threat modeling is an open-source, acceptable risk-focused methodology that emphasizes satisfying the security auditing process from a cyber risk management perspective. It is based on a requirements model and uses data flow diagrams, but can be challenging to scale for larger systems.
What is the focus of P.A.S.T.A. threat modeling?
P.A.S.T.A. (Process for Attack Simulation and Threat Analysis) is an attacker-focused methodology that aims to align business objectives with technical requirements, while considering business impact analysis and compliance requirements. It is best suited for organizations seeking to align threat modeling with strategic objectives.
What are the key aspects of STRIDE threat modeling?
STRIDE (Spoofing, Tampering, Repudiation, Information Message Disclosure, Denial of Service, and Elevation of Privilege) is a developer-focused methodology created by Microsoft that aims to ensure security during the design phase of software development. It is well documented and widely known due to Microsoft’s influence in the software industry.
What is the VAST threat modeling methodology?
VAST (Visual, Agile, and Simple Threat modeling) is an enterprise-focused methodology that emphasizes scalability, integration, and collaboration. It provides separate application and operational threat models for development and infrastructure teams and allows organizations to scale across thousands of threat models.
How does VAST threat modeling support scalability?
VAST threat modeling supports scalability by using automation, integration, and collaboration as its foundational pillars. These elements enable a sustainable, self-service threat modeling practice driven by DevOps teams rather than just the security team.
What is the importance of desired outputs in choosing a threat modeling methodology?
Desired outputs should guide an organization’s choice of methodology, as the number and type of threats identified, as well as the quality, consistency, and value received from the threat models will vary significantly among different methodologies.
How can ThreatModeler help organizations with their threat modeling needs?
ThreatModeler is an automated threat modeling platform and service provider that helps organizations gain holistic visibility into their attack surface, implement mitigation strategies, and tackle unique security needs. It is trusted by industry giants to identify weaknesses and vulnerabilities across operational infrastructure and software applications, resulting in stronger enterprise security.