This page of The Threat Modeling Framework provides a structured and accessible approach to identifying and mitigating security risks across six core areas: Identity & Access Management, Infrastructure Security, Security Logging, Monitoring & Response, IT Resilience, and Secure Development (covering both secure coding practices and data protection). The framework emphasizes clarity and practicality, avoiding jargon to make threat modeling more approachable for everyone involved in the development lifecycle. It highlights common threats in each area and outlines specific security requirements to counter them, promoting a proactive and comprehensive approach to building secure systems :
- Identity & Access Management: Focuses on preventing unauthorized access. Threats include compromised passwords, credential abuse, and inactive accounts. Requirements emphasize multi-factor authentication, access control, and regular reviews.
- Infrastructure Security: Addresses system and network configuration weaknesses. Threats involve misconfigurations, outdated software, and exposed services. Hardening, patching, network segmentation, and secrets management are key requirements.
- Security Logging, Monitoring & Response: Ensures timely detection and response to security events. Inadequate logging, unanalyzed events, and slow incident response are highlighted. Requirements stress comprehensive logging, SIEM use, monitoring, and incident response planning.
- IT Resilience: Aims to maintain system availability and data protection. Threats cover data loss from cyberattacks, ransomware, system failures, and single points of failure. Backups, disaster recovery, business continuity, and redundancy are crucial.
- Secure Development: Emphasizes secure coding and deployment practices. Abuse of vulnerabilities, malicious code injection, and insecure deployment are threats. Requirements include code scanning, secure coding training, secure pipelines, and dependency management.
- Secure Development: (appears twice on the diagram) This section focuses on data protection. Threats include data interception, malicious retrieval, key compromise, and unauthorized access. Requirements focus on encryption, key management, and using customer-managed keys.
The framework was developed by Nick Kirtley and Tejvir Singh to make threat modeling more accessible and jargon-free. It emphasizes a structured, step-by-step approach applicable throughout the development lifecycle.
Document
IDENTITY & ACCESS MANAGEMENT
Threats related to gaining unauthorized access to system(s) or data, or
performing unauthorized actions
Threats
Unauthorized access is gained
Unauthorized access is gained
from compromised credentials
Privileged access is gained through
abusing complicated access rights
Users who should no longer have
access gain unauthorized access to
the system using existing rights
Unauthorized (and privileged)
access is gained by abusing NPAs
or system accounts
Users abuse access rights that are
not required
Users abuse sensitive functions
and access rights
Security Requirements
Use Multi-Factor Authentication
(MFA) when accessing all parts of
the system
Use Single-Sign-On (SSO) where
possible
Use Role Based Access Control
(RBAC), with a clear overview of
roles, the rights per role, and the
users assigned to roles
Performing periodic access reviews
for all users, administrators, and
highly privileged users
Manage Non-Personal Accounts
(NPAs), High-Privileged Accounts
and Service Accounts effectively
Use of the least privilege principle,
meaning that users only have
access rights that are absolutely
needed
Use of Segregation of Duties (SoD)
for privileged or highly-sensitive
actions & activities
SECURE DEVELOPMENT
Threats related to insecure development processes and tooling
Threats
Abuse of vulnerabilities &
weaknesses (originating from the
code base)
Malicious code is added to the
code base by an insider
The system is abused via
dependencies or libraries
Previously unidentified
vulnerabilities or weaknesses are
abused
Security Requirements
Abuse of vulnerabilities &
weaknesses (originating from the
code base)
Malicious code is added to the
code base by an insider
The system is abused via
dependencies or libraries
Previously unidentified
vulnerabilities or weaknesses are
abused
INFRASTRUCTURE SECURITY
Threats related to exploiting (configuration) weaknesses in system(s)
and unauthorized network access to (parts of) system(s) or data
Threats
Misconfigurations are abused for
unauthorized access or disruption
Unnecessary services, pages, or
ports are abused
Sensitive pages or services are
accessed externally
Outdated software with
vulnerabilities is abused
Exposed secrets or tokens are
used for abuse or access
Production data is lost in the
development or testing phase
Critical technical components are
abused from external networks
Services and ports are maliciously
accessed from external networks
Attackers hop from one network or
application zone to another
Security Requirements
Hardening of (all) technical
components of the system
Removing unnecessary services
that are provided by default, or
enabled during development
Reducing the exposure of services,
web pages, administrator panels
Applying security patches to
technical components of the
system
Securely manage secrets, tokens,
etc. in a vault or similar technology
Use of DTAP (Development, Test,
Acceptance, and Production)
Segmenting internal parts of the
solution (i.e., segmenting
components at the network level)
Use a firewall between trusted and
untrusted zones
Use firewalls, or other network
filtering between applications &
infrastructure (i.e., apply microsegmentation)
SECURE DEVELOPMENT
Threats related to gaining or intercepting unencrypted business,
technical, or personal data
Threats
Data is intercepted via the network
Data is maliciously retrieved or
gained from a database or system
Encrypted traffic or files are
decrypted using stolen keys or
secrets
Unauthorized access to data by or
through a service or cloud provider
Security Requirements
Encrypt confidential data in transit
Encrypt confidential data at rest
Manage security & encryption keys
securely using proven systems and
processes
Use customer-managed keys
when hosting data or systems in
(public) cloud environments
SECURITY LOGGING, MONITORING & RESPONSE
Threats related to abuse that go undetected or not identified &
remediated
Threats
Security events at infrastructure
level are not identified
Security events at application level
are not identified
Security events are not analyzed
by security professionals
Security events are not resolved by
security professionals or SOC
Security Requirements
Logging of technical events
occurring at the infrastructure level
Logging of important events
occurring at the application level
Triggering active monitoring of
critical events at the infrastructure
and application level
Response measures by the SOC or
other security professionals in case
of critical events
IT RESILIENCE
Threats related to disrupting the availability of system(s) or data
Threats
Data is lost in case of a cyber event
or attack
Data is lost in case of a
ransomware attack
Systems or data cannot be recovered in case of a cyber attack
Processes cannot recover in case of a cyber attack
Systems are down due to loss of a single point of failure
Security Requirements
Performing periodic backups of
systems and data
Performing air-gapped backups of
systems and data for use in a
ransomware attack
Performing regular recovery tests
using backup data
Performing regular business
continuity sessions to recover from
a (simulated) attack or outage
Develop redundancy of systems
and processes for systems with
high availability requirements
Threat Modeling
Framework
Nick Kirtley & Tejvir Singh | 27 Jul 2024 | v1.0
Aristiun.com | Threat-Modeling.com
.webp)
