Adam Shostack, Matthew Coles, and Izar Tarandach

Every application security professional should know how to threat model. It doesn’t have to be a big or complex process. The Threat Modeling Manifesto says threat modeling focuses on four simple questions:

1. What are we working on?

2. What can go wrong?

3. What are we going to do about it?

4. Did we do a good enough job?

We ask, “What are we working on?” to focus our attention and scope our analysis. Some people ask, “What are we building?” and accidentally make a waterfall threat modeling process. Some people choose to “threat model every story,” which is another approach to scoping and determining which stories have security value and which do not.

The second question, “What can go wrong?” is the heart of threat modeling. It is hard but essential, and you need to involve people with different perspectives. You can also use structured approaches, like STRIDE or kill chains, to be more systematic in which threats you discover. Free flow or unbounded approaches like “think like a hacker” prove less effective and sometimes daunting; if you don’t know how a hacker thinks, how are you supposed to emulate ...