Threat Model? What is that?

Tanmay Deshpande
3 min readJan 25, 2018
Photo by Alex Iby on Unsplash

In the world of internet, security is becoming big concern for all organisations. Data protection regulations like EU General Data Protection Regulation — GDPR are making programmer’s life even worse. In a way, it is good that such type of regulations are enforcing organisations to take security seriously.

In this article I am going to talk about a concept in security called — Threat Model and it can help you secure your applications & products.

What is Threat Model?

In simple words, it is an approach to analyse the security of an application. It is a structure way to identify, quantify & mitigate the security risks in an application.

How do I implement a threat model?

A threat model can be implemented in 3 simple steps-

  1. Draw a diagram of various components in the application. This is more of decomposing the application by drawing the Data Flow Diagram (DFD).
  2. Identify & rank the threats as per OWASP’s STRIDE classification scheme
  3. Determine and implement the risk mitigation. Once you understand the risk, you can take help from various online resources on how that risk can be reduced.

What is Data Flow Diagram?

Data Flow Diagram (DFD) allows us to put a model of our application using the data collected. It consists of various components like —

Components of DFD

What tool can I use to draw a DFD?

Microsoft provides a free tool called Microsoft Threat Modeling Tool 2016. It can be downloaded from this link.

How does a sample Data Flow Diagram looks like?

Microsoft Threat Modelling Tool comes with sample DFD. Here is a sample DFD for a web application. Following is a sample-

DFD for a Web Application

What’s next?

Tanmay Deshpande

I write about technology in simple words!