I’ve worked in many organizations over the years and have been involved with the delivery of some threat modeling process or program at most of these organizations. And I’m here to tell you that many of them failed. Not because there was no willingness or need for them, but simply because driving a threat modeling process in an organization can be daunting. It can be no less challenging than rolling out a new security tool, with all the integrations, arm-twisting, and repeated meetings to justify its needs. Threat modeling is a foundation, some may even say a table stake, to delivering secure architecture in an organization. Whether it’s a new product for clients, a new third-party system integration, or a new, recently established technology, threat modeling is crucial to the identification of potential threats to an organization.

So, why do so many organizations find it either challenging or impossible to integrate threat modeling...

Threat modeling operates on a deceptively simple foundation built from four interconnected concepts. We’ll start by understanding the relationships between assets, threats, vulnerabilities, and risk, and how they determine whether your threat modeling exercises produce actionable security controls or documentation that collects dust. These elements form the basic framework that transforms security concerns into defensive strategies, but only when each component is well understood and applied in a threat modeling practice.

Assets

Assets are at the heart of everything we do in threat modeling. These aren’t just physical items such as servers and sensors but also include the data, the people, and the organization as a whole. Assets are the intellectual property that keeps your company ahead of competitors, sensitive user data entrusted to you by clients, or even the software itself that runs the business. Intangible assets such...

Creating a threat model means that you need to know what it is that you’re modeling. This includes what’s in your purview, what you have control over, and what your environment looks like. More importantly, you need to consider what security controls already exist in your environment that mitigate possible threats that tie into the overall scope of the model and the assumptions you make.

In threat modeling, assumptions are the beliefs or expectations about the system, environment, users, or adversaries that shape how threats are identified, prioritized, and mitigated. When we do threat modeling, we assume that certain things are in place: a firewall, Multi-Factor Authentication (MFA), and security-versed users of the system. The reality is that those should never be taken for granted as being there and properly configured.

Nonetheless, the process of threat modeling requires defining the scope and clarifying the assumptions...

We’ve covered some of the basics of threat modeling, but there are some high-level best practices to keep in mind as well. These will serve you well as you embark on creating threat models in your organization.

Threat modeling mindset

Have you ever walked down a street at night, alone, in the dark, and thought to yourself that you should maybe quicken your pace or “keep your head on a swivel” (in other words, pay attention)? Would you have that same reaction walking that same street in the daylight? With a crowd of people? Likely not. The purpose of raising this scenario is to illustrate how we, whether we think about it or not, threat model on a daily basis. It’s in our nature to ensure our survival by occasionally thinking the worst and then formulating a plan to deal with it. Sometimes, at least in the physical world, we rely on our instincts. In the digital world, we need to build those instincts...

Even with the best intentions, there are several common mistakes and pitfalls that can undermine the effectiveness of a threat modeling process. By being aware of these potential issues, teams can avoid falling into these traps and ensure that their threat models are thorough, actionable, and continuously improving.

Starting too late

One of the most critical mistakes is starting the threat modeling process too late in the development life cycle. Threat modeling should be integrated when the design is first developed so that potential threats are identified and mitigations can be devised before coding begins. When threat modeling is left until the end of development, it often uncovers issues that are deeply embedded in the project and more time-consuming and costly to fix.

Lack of expertise

Another pitfall is approaching threat modeling without the necessary expertise. This goes beyond having the right stakeholders and focuses...

This example follows a fictitious company named Centurion Bank & Trust, a financial institution implementing a new online banking system. This demonstrates how systematic security analysis can help the bank identify critical assets, as well as how they can define relevant threat agents, including external cybercriminals and insider threats. This example will show how a structured approach to threat modeling helps organizations achieve improvements in their security posture through application threat modeling.

Background

The fictional bank Centurion Bank & Trust, a leading financial institution, decided to implement a new online banking system to enhance customer experience and streamline operations. The system allows customers to perform transactions, check account balances, and apply for loans through a web interface.

Objective

Identify potential security threats and vulnerabilities in the new online banking...

Threat modeling is a critical practice for identifying potential risks in applications and systems early in the development process, allowing organizations to stay ahead of vulnerabilities before they become serious issues. In this chapter, we’ve explored how threat modeling fits into the larger product development life cycle, highlighting its importance as a foundational piece of a strong security strategy.

We’ve covered the essential concepts of threat modeling, including how to identify assets, classify threats, and document assumptions. This chapter emphasized the importance of integrating threat modeling into the design and development process, making it part of a continuous feedback loop as the product evolves. By adopting an iterative approach, organizations can refine their threat models as new information and risks emerge, ensuring they stay aligned with the latest security challenges. Regular reassessment of the threat model is also critical, as...