{"id":17614,"date":"2022-04-27T10:07:10","date_gmt":"2022-04-27T08:07:10","guid":{"rendered":"https:\/\/www.codemotion.com\/magazine\/?p=17614"},"modified":"2022-04-27T10:07:11","modified_gmt":"2022-04-27T08:07:11","slug":"threat-modeling-for-digital-applications-a-quick-guide","status":"publish","type":"post","link":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/","title":{"rendered":"Threat Modeling for Digital Applications: A Quick Guide"},"content":{"rendered":"\n<p>Threat Modeling is a security design process to identify potential threats that may impact web and mobile digital applications and determine the correct controls to produce effective countermeasures. Discover essential steps, concepts, and best practices in this guide created with insights by <a href=\"http:\/\/accenture.com\/it-it\" class=\"ek-link\">Accenture<\/a>.<\/p>\n\n\n\t\t\t\t<div class=\"wp-block-uagb-table-of-contents uagb-toc__align-left uagb-toc__columns-1  uagb-block-40776d82      \"\n\t\t\t\t\tdata-scroll= \"1\"\n\t\t\t\t\tdata-offset= \"30\"\n\t\t\t\t\tstyle=\"\"\n\t\t\t\t>\n\t\t\t\t<div class=\"uagb-toc__wrap\">\n\t\t\t\t\t\t<div class=\"uagb-toc__title\">\n\t\t\t\t\t\t\tTable Of Contents\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"uagb-toc__list-wrap \">\n\t\t\t\t\t\t<ol class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#an-introduction-to-threat-modeling\" class=\"uagb-toc-link__trigger\">An introduction to Threat Modeling<\/a><li class=\"uagb-toc__list\"><a href=\"#which-are-the-objectives-of-threat-modeling\" class=\"uagb-toc-link__trigger\">Which are the objectives of Threat Modeling?<\/a><li class=\"uagb-toc__list\"><a href=\"#the-4-question-framework-of-threat-modeling\" class=\"uagb-toc-link__trigger\">The 4-question framework of Threat Modeling\u00a0<\/a><li class=\"uagb-toc__list\"><a href=\"#popular-threat-modeling-strategies\" class=\"uagb-toc-link__trigger\">Popular Threat Modeling Strategies<\/a><ul class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#stride\" class=\"uagb-toc-link__trigger\">STRIDE\u00a0<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#the-dread-model\" class=\"uagb-toc-link__trigger\">The DREAD model<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#pasta\" class=\"uagb-toc-link__trigger\">PASTA<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#vast\" class=\"uagb-toc-link__trigger\">VAST<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#trike\" class=\"uagb-toc-link__trigger\">Trike<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#octave\" class=\"uagb-toc-link__trigger\">OCTAVE\u00a0<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#nist\" class=\"uagb-toc-link__trigger\">NIST\u00a0<\/a><li class=\"uagb-toc__list\"><li class=\"uagb-toc__list\"><a href=\"#tools-for-threat-modeling\" class=\"uagb-toc-link__trigger\">Tools for threat modeling\u00a0<\/a><\/li><\/ul><\/li><li class=\"uagb-toc__list\"><a href=\"#main-takeaways\" class=\"uagb-toc-link__trigger\">Main Takeaways<\/a><\/ul><\/ol>\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\n\n\n<h2 class=\"wp-block-heading\" id=\"h-an-introduction-to-threat-modeling\">An introduction to Threat Modeling<\/h2>\n\n\n\n<p>In recent years, the <strong>need for Threat Modeling<\/strong> has grown as the number and types of attacks have increased. With the rise in popularity of web and mobile applications, attackers have more opportunities to exploit vulnerabilities. Threat Modeling can be used to assess risk in digital applications and to determine the best security controls to mitigate those risks. The process of Threat Modeling involves identifying potential threats, determining the impact of those threats, and selecting the appropriate countermeasures. There are a variety of <strong>benefits that can be gained from performing Threat Modeling<\/strong>. First, it can help organizations to prioritize their security efforts by <strong>identifying the most critical risks<\/strong>. Second, it can provide a <strong>structured approach for thinking about security<\/strong>. Third, it can help to <strong>uncover hidden risks<\/strong> that may be difficult to identify using other methods. Performing Threat Modeling is a valuable step in the security <strong>design process of any digital application<\/strong>. By taking the time to identify potential threats and determine the best security controls to mitigate those risks, <strong>organizations can improve the security of their applications and reduce the likelihood of a successful attack<\/strong>. Threat modeling can be applied to software, applications, systems, networks, distributed systems, Internet of Things (IoT) devices, and business processes.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-which-are-the-objectives-of-threat-modeling\">Which are the objectives of Threat Modeling?<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li><strong>Identify Potential Threats that may impact the digital application<\/strong><\/li><li><strong>Identify the Security Controls to apply as countermeasures<\/strong><\/li><li><strong>Identify critical areas of design that need to be protected<\/strong><\/li><\/ol>\n\n\n\n<p>1) When conducting a threat <strong>modeling exercise, the first objective is to identify<\/strong> <strong>potential security threats<\/strong> that may impact the digital application. This can be done by focusing on the assets, drawing and analyzing architectural diagrams, and then brainstorming with the development team and other stakeholders to identify what could go wrong. Once potential threats have been identified, they can be prioritized based on their likelihood and potential impact. This will help the team focus on the most serious threats first.<\/p>\n\n\n\n<p>2) The second objective of threat modeling is to <strong>identify the security controls that can be implemented to mitigate the identified threats<\/strong>. The controls should be selected based on their efficacy in mitigating the threat and their feasibility to implement. Some controls may not be feasible to implement, so the team needs to weigh the benefits and costs of each control before deciding which to implement.&nbsp;<\/p>\n\n\n\n<p>3) The third objective of threat modeling is to <strong>identify critical areas of design that need to be protected<\/strong>. This can be done by identifying which parts of the application are most critical to its functioning and security. Once these critical areas have been identified, additional security controls can be put in place to protect them.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/02\/Portada-Insurtech-1024x576.png\" alt=\"\" class=\"wp-image-17031\" srcset=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/02\/Portada-Insurtech-1024x576.png 1024w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/02\/Portada-Insurtech-300x169.png 300w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/02\/Portada-Insurtech-768x432.png 768w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/02\/Portada-Insurtech-896x504.png 896w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/02\/Portada-Insurtech-400x225.png 400w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/02\/Portada-Insurtech.png 1279w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Threat modeling aims to identify potential threats, security controls to apply, and critical areas to protect.<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-4-question-framework-of-threat-modeling\">The 4-question framework of Threat Modeling&nbsp;<\/h2>\n\n\n\n<p><strong>The threat model process can be explained with a 4-questions framework<\/strong>. Each question has a corresponding threat modeling phase with sub-steps that allow finding the correct answers.<strong>&nbsp;<\/strong><\/p>\n\n\n\n<p><strong>1) Model System &#8211; What are you building?<\/strong><\/p>\n\n\n\n<p><strong>&nbsp;2) Find Threats &#8211; What can go wrong with it once it\u2019s built?&nbsp;<\/strong><\/p>\n\n\n\n<p><strong>3) Address Threats &#8211; What should you do about those things that can go wrong?&nbsp;<\/strong><\/p>\n\n\n\n<p><strong>4) Validate &#8211; Did you do a decent job of analysis?&nbsp;<\/strong><\/p>\n\n\n\n<p>1) The first step, modeling the system, is about <strong>understanding what you are building<\/strong>. This means having a clear picture of the system\u2019s components, how they interact, and the system\u2019s environment. This step involves creating a diagram of the system under attack and identifying the assets that need to be protected. What are its component parts? What purpose does it serve? What data does it process? What are its interfaces? Knowing the answers to these questions is necessary in order to <strong>identify potential threats to the system<\/strong>. In particular, data flow diagrams and architectural diagrams should be generated for the assets that the analysis is focusing on, and that need to be protected. You should also identify the system\u2019s assets and what needs to be protected. This understanding forms the basis for the next step of finding threats.&nbsp;<\/p>\n\n\n\n<p>2) In the second step, you <strong>find potential threats to the assets<\/strong> identified in the previous step. This is done by brainstorming, using threat catalogues, reviewing similar systems, and looking at common attack patterns, or by using a tool such as the Microsoft Threat Modeling Tool. Strategies like STRIDE, described in the following section, can help identify threats and categorize them. The goal is to generate a list of threats that could potentially exploit the weaknesses of the system. Once you have a list of potential threats, you can begin to prioritize them. Some threats may be more serious than others, and some may be more likely to occur. It is important to consider both the severity of the threat and the <strong>likelihood of it occurring<\/strong> when prioritizing threats. You need to understand both the attacker\u2019s goals and the capabilities in order to identify the threats that are most relevant.<\/p>\n\n\n\n<p>3) The third step is about <strong>addressing the threats that were identified in the previous step<\/strong>. This means finding ways to mitigate or eliminate the risks that these threats pose. This can be done by redesigning components, changing assumptions, or adding security controls.<\/p>\n\n\n\n<p>4) The fourth and final step is to <strong>validate the results of the previous three steps<\/strong>. This means checking if the threats have been properly addressed and if the security controls are effective.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-popular-threat-modeling-strategies\">Popular Threat Modeling Strategies<\/h2>\n\n\n\n<p>There are a variety of different threat modeling strategies out there, each with its own strengths and weaknesses. In this section, we&#8217;ll take a look at some of the most popular threat modeling techniques and tools.&nbsp;<\/p>\n\n\n\n<h3 class=\"gb-headline gb-headline-bcf2f868 gb-headline-text\"><strong>STRIDE&nbsp;<\/strong><\/h3>\n\n\n\n<p>STRIDE is a mnemonic for the six most common types of attack: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. It was originally developed by Microsoft in the 90s. By identifying which of these attacks are possible against a given system, you can start to put together a plan to mitigate them. Teams can use the STRIDE to spot threats while designing software architectures.&nbsp;<\/p>\n\n\n\n<p>STRIDE aims to ensure that an asset fulfills the CIA triad (confidentiality, integrity and availability).<\/p>\n\n\n\n<p>STRIDE can be used on a <strong>model or diagram of the system to protect<\/strong>, that should include a breakdown of processes, data stores, data flows and trust boundaries.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/laTIaUkyBRrlNz-Krwxem8oP09AFAc_v5Q0tBRGEZKU4tisLuem41hw3B3qLpudyc5cWIXH1N_pBqvCW1T1Gc8wUZnQCWr1wTRCBFhfBQG8f_KXIWsGcpFQEx6tY6iN37_fY0-4Y\" alt=\"STRIDE: Spoofing, Tampering, Repudiation, Information disclosure. Threat Modeling\" width=\"732\" height=\"402\"\/><figcaption>STRIDE= Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.<\/figcaption><\/figure>\n\n\n\n<h3 class=\"gb-headline gb-headline-0e5869fa gb-headline-text\"><strong>The DREAD model<\/strong><\/h3>\n\n\n\n<p>The DREAD model is a quantitative model that rates the severity of threats on a scale of 1 to 10, based on the following factors: <strong>D- Damage potential R- Reproducibility E- Exploitability A- Affected users D- Discoverability.<\/strong> By analyzing threats across these different categories and assigning a value to each, your organization can better understand what are the most important vulnerabilities in your assets and architecture, and design a plan to address them based on the priority and values assigned to each.<\/p>\n\n\n\n<h3 class=\"gb-headline gb-headline-0e2c85a4 gb-headline-text\"><strong>PASTA<\/strong><\/h3>\n\n\n\n<p>The <strong>Process for Attack Simulation and Threat Analysis (PASTA) <\/strong>is a risk-centric threat modeling framework. It allows companies and businesses to follow a series of steps to perform risk analysis and improve the overall security strategy. PASTA has a broad range and can easily scale up or scale down as needed, and many other threat modeling frameworks can map into it.<\/p>\n\n\n\n<h3 class=\"gb-headline gb-headline-8ecc6aaf gb-headline-text\"><strong>VAST<\/strong><\/h3>\n\n\n\n<p>The <strong>Visual, Agile, and Simple Threat<\/strong> (VAST) framework is based on Threat Modeler, a threat-modeling tool.<\/p>\n\n\n\n<p>Its strengths are usability and scalability, that helps large organizations use it in their infrastructures,&nbsp;<\/p>\n\n\n\n<h3 class=\"gb-headline gb-headline-3fce7635 gb-headline-text\"><strong>Trike<\/strong><\/h3>\n\n\n\n<p>Trike is a <strong>tool for conducting security threat assessments<\/strong>. As their website says, <em>the project began in 2006 as an attempt to improve the efficiency and effectiveness of existing threat modeling methodologies and is being actively used and developed.<\/em><\/p>\n\n\n\n<h3 class=\"gb-headline gb-headline-83f479b1 gb-headline-text\"><strong>OCTAVE&nbsp;<\/strong><\/h3>\n\n\n\n<p>OCTAVE is a risk management methodology that focuses on <strong>identifying the Operational, Cyber, Technical, and Administrative Vulnerabilities present in a system<\/strong>. This information can then be used to assess the risks posed to each asset and determine how best to protect it. At its core, it helps the team share knowledge in a systematic way, so as to identify the current state of security, possible vulnerabilities, risks to critical assets, and set a security strategy.<\/p>\n\n\n\n<h3 class=\"gb-headline gb-headline-68799ea9 gb-headline-text\"><strong>NIST&nbsp;<\/strong><\/h3>\n\n\n\n<p>NIST is a government-sponsored risk management framework that provides guidance on how to identify, assess, and mitigate security risks. It includes a threat modeling methodology that can be used to identify potential security risks and develop mitigation plans.&nbsp;<\/p>\n\n\n\n<p>These are just a few of the many threat modeling strategies and tools that are available. Which one you choose to use will depend on your specific needs and preferences. However, all of these techniques can be useful in helping you <strong>proactively identify and address potential security risks<\/strong>.<\/p>\n\n\n\n<p>Some, like OCTAVE, focus on the practice of reviewing systems for potential threats. Others, like STRIDE or PASTA, focus on the point of view of a developer or an attacker.<\/p>\n\n\n\n<h3 class=\"gb-headline gb-headline-5e90295f gb-headline-text\"><strong>Tools for threat modeling&nbsp;<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/03\/Cybercrime-1-1024x576.jpg\" alt=\"STRIDE, PASTA, DREAD, VAST, TRIKE, threat modeling, cybersecurity, threat modeling tools\" class=\"wp-image-17195\" srcset=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/03\/Cybercrime-1-1024x576.jpg 1024w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/03\/Cybercrime-1-300x169.jpg 300w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/03\/Cybercrime-1-768x432.jpg 768w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/03\/Cybercrime-1-1536x864.jpg 1536w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/03\/Cybercrime-1-896x504.jpg 896w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/03\/Cybercrime-1-400x225.jpg 400w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/03\/Cybercrime-1.jpg 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Following a strong threat modeling strategy and the right tools is key for minimizing the possibilities of cyberattacks and mitigating their effects.<\/figcaption><\/figure>\n\n\n\n<p>There are a number of different tools available for threat modeling. The following are some of the most popular:&nbsp;<\/p>\n\n\n\n<p>1. <strong>Microsoft Threat Modeling Tool<\/strong> &#8211; The Microsoft Threat Modeling Tool is a free tool that helps organizations identify, quantify, and prioritize risks. It includes a library of common threats and vulnerabilities and provides a step-by-step guide for creating threat models.&nbsp;<\/p>\n\n\n\n<p>2. <strong>OWASP Threat Dragon<\/strong> &#8211; OWASP Threat Dragon is a modeling tool used to create threat model diagrams as part of a secure development lifecycle. As discussed before, creating these diagrams for the assets that need to be protected is a fundamental step in threat modeling, and should be always incorporated into the development cycle of components that can be at risk of attacks. Threat Dragon also supports STRIDE; it <strong>provides modeling diagrams<\/strong> and implements a rule engine to auto-generate threats and their mitigations.<\/p>\n\n\n\n<p>3. <strong>IriusRisk <\/strong>&#8211; IriusRisk is a product that allows you to generate a diagram of your architecture through easy drag and drop methods, like draw.io. It then <strong>generates a threat model in minutes<\/strong>, highlighting the possible risks your architecture may have, and it generates a series of possible countermeasures to hypothetical attacks. It also allows to receive real-time threat scores and quickly generates reports.<\/p>\n\n\n\n<p>4 &#8211;<a href=\"http:\/\/drawo.io\"> draw.io<\/a> &#8211;<a href=\"https:\/\/www.diagrams.net\/\"> https:\/\/www.diagrams.net\/<\/a>&nbsp; are online tools that allow you to create diagrams using most cloud provider resources and objects, useful to analyze the possible vulnerabilities of your architecture and assets.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-main-takeaways\">Main Takeaways<\/h2>\n\n\n\n<p>Cybersecurity is among the most fundamental areas any company should invest in. <strong>Malicious hackers are always eager to find vulnerabilities<\/strong> to steal valuable information or inject dangerous software into a company\u2019s private network (e.g., ransomware).<\/p>\n\n\n\n<p>Every company should <strong>follow threat modeling guidelines<\/strong> to ensure that their infrastructure is safe from all attacks. In this article, we described the main steps to follow. Accenture provides companies with their extensive expertise in cybersecurity, computer networks, and threat modeling. <strong>Through their support, your company can be guided in each step when building critical infrastructure and pipelines<\/strong>, so that they\u2019re safer from external attacks. A threat modeling report will analyze the assets involved, generating an overall diagram, an architecture and data flow, and it will identify and highlight potential threats with relative priorities, also suggesting security controls that can mitigate the threat impacts.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.accenture.com\/it-it\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"250\" src=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/CO22_magazine_accenture_b-2.png\" alt=\"\" class=\"wp-image-17617\" srcset=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/CO22_magazine_accenture_b-2.png 975w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/CO22_magazine_accenture_b-2-300x77.png 300w, https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/CO22_magazine_accenture_b-2-768x197.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Threat Modeling is a security design process to identify potential threats that may impact web and mobile digital applications and determine the correct controls to produce effective countermeasures. Discover essential steps, concepts, and best practices in this guide created with insights by Accenture. An introduction to Threat Modeling In recent years, the need for Threat&#8230; <a class=\"more-link\" href=\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/\">Read more<\/a><\/p>\n","protected":false},"author":58,"featured_media":17620,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_editorskit_title_hidden":false,"_editorskit_reading_time":8,"_editorskit_is_block_options_detached":false,"_editorskit_block_options_position":"{}","_uag_custom_page_level_css":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[4329],"tags":[6280,38],"collections":[],"class_list":{"0":"post-17614","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cybersecurity","8":"tag-devsecops","9":"tag-security-manager","10":"entry"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.9 (Yoast SEO v26.9) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Threat Modeling for Digital Applications: A Quick Guide - Codemotion Magazine<\/title>\n<meta name=\"description\" content=\"Read on to discover more about threat modeling and how to follow guidelines for protecting your assets from cyberattacks\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Threat Modeling for Digital Applications: A Quick Guide\" \/>\n<meta property=\"og:description\" content=\"Read on to discover more about threat modeling and how to follow guidelines for protecting your assets from cyberattacks\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/\" \/>\n<meta property=\"og:site_name\" content=\"Codemotion Magazine\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Codemotion.Italy\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-27T08:07:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-04-27T08:07:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1919\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Norman Di Palo\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@CodemotionIT\" \/>\n<meta name=\"twitter:site\" content=\"@CodemotionIT\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Norman Di Palo\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/\"},\"author\":{\"name\":\"Norman Di Palo\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/55131e26e4c59236d55c04a6bb1363d0\"},\"headline\":\"Threat Modeling for Digital Applications: A Quick Guide\",\"datePublished\":\"2022-04-27T08:07:10+00:00\",\"dateModified\":\"2022-04-27T08:07:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/\"},\"wordCount\":1959,\"publisher\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg\",\"keywords\":[\"DevSecOps\",\"Security Manager\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/\",\"url\":\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/\",\"name\":\"Threat Modeling for Digital Applications: A Quick Guide - Codemotion Magazine\",\"isPartOf\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg\",\"datePublished\":\"2022-04-27T08:07:10+00:00\",\"dateModified\":\"2022-04-27T08:07:11+00:00\",\"description\":\"Read on to discover more about threat modeling and how to follow guidelines for protecting your assets from cyberattacks\",\"breadcrumb\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#primaryimage\",\"url\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg\",\"contentUrl\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg\",\"width\":1919,\"height\":1080,\"caption\":\"threat modeling, cybersecurity, PASTA, DREAD, STRIDE\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.codemotion.com\/magazine\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity\",\"item\":\"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Threat Modeling for Digital Applications: A Quick Guide\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#website\",\"url\":\"https:\/\/www.codemotion.com\/magazine\/\",\"name\":\"Codemotion Magazine\",\"description\":\"We code the future. Together\",\"publisher\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.codemotion.com\/magazine\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#organization\",\"name\":\"Codemotion\",\"url\":\"https:\/\/www.codemotion.com\/magazine\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2019\/11\/codemotionlogo.png\",\"contentUrl\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2019\/11\/codemotionlogo.png\",\"width\":225,\"height\":225,\"caption\":\"Codemotion\"},\"image\":{\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Codemotion.Italy\/\",\"https:\/\/x.com\/CodemotionIT\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/55131e26e4c59236d55c04a6bb1363d0\",\"name\":\"Norman Di Palo\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2024\/03\/norman-di-palo-100x100.jpeg\",\"contentUrl\":\"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2024\/03\/norman-di-palo-100x100.jpeg\",\"caption\":\"Norman Di Palo\"},\"description\":\"My name is Norman Di Palo, I\u2019m a Robotics and Artificial Intelligence student, researcher and consultant from Rome, Italy. I'm a public speaker and I've given several talks at tech events. I am founder and consultant for startups in Rome and Palo Alto. I write about my work and research on my blog, that is read by tens of thousands of people. I mostly enjoy robotics, deep learning, design, vinyls, and good coffee.\",\"url\":\"https:\/\/www.codemotion.com\/magazine\/author\/norman-di-palo\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Threat Modeling for Digital Applications: A Quick Guide - Codemotion Magazine","description":"Read on to discover more about threat modeling and how to follow guidelines for protecting your assets from cyberattacks","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/","og_locale":"en_US","og_type":"article","og_title":"Threat Modeling for Digital Applications: A Quick Guide","og_description":"Read on to discover more about threat modeling and how to follow guidelines for protecting your assets from cyberattacks","og_url":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/","og_site_name":"Codemotion Magazine","article_publisher":"https:\/\/www.facebook.com\/Codemotion.Italy\/","article_published_time":"2022-04-27T08:07:10+00:00","article_modified_time":"2022-04-27T08:07:11+00:00","og_image":[{"width":1919,"height":1080,"url":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg","type":"image\/jpeg"}],"author":"Norman Di Palo","twitter_card":"summary_large_image","twitter_creator":"@CodemotionIT","twitter_site":"@CodemotionIT","twitter_misc":{"Written by":"Norman Di Palo","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#article","isPartOf":{"@id":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/"},"author":{"name":"Norman Di Palo","@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/55131e26e4c59236d55c04a6bb1363d0"},"headline":"Threat Modeling for Digital Applications: A Quick Guide","datePublished":"2022-04-27T08:07:10+00:00","dateModified":"2022-04-27T08:07:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/"},"wordCount":1959,"publisher":{"@id":"https:\/\/www.codemotion.com\/magazine\/#organization"},"image":{"@id":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#primaryimage"},"thumbnailUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg","keywords":["DevSecOps","Security Manager"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/","url":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/","name":"Threat Modeling for Digital Applications: A Quick Guide - Codemotion Magazine","isPartOf":{"@id":"https:\/\/www.codemotion.com\/magazine\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#primaryimage"},"image":{"@id":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#primaryimage"},"thumbnailUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg","datePublished":"2022-04-27T08:07:10+00:00","dateModified":"2022-04-27T08:07:11+00:00","description":"Read on to discover more about threat modeling and how to follow guidelines for protecting your assets from cyberattacks","breadcrumb":{"@id":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#primaryimage","url":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg","contentUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg","width":1919,"height":1080,"caption":"threat modeling, cybersecurity, PASTA, DREAD, STRIDE"},{"@type":"BreadcrumbList","@id":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/threat-modeling-for-digital-applications-a-quick-guide\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.codemotion.com\/magazine\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity","item":"https:\/\/www.codemotion.com\/magazine\/cybersecurity\/"},{"@type":"ListItem","position":3,"name":"Threat Modeling for Digital Applications: A Quick Guide"}]},{"@type":"WebSite","@id":"https:\/\/www.codemotion.com\/magazine\/#website","url":"https:\/\/www.codemotion.com\/magazine\/","name":"Codemotion Magazine","description":"We code the future. Together","publisher":{"@id":"https:\/\/www.codemotion.com\/magazine\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.codemotion.com\/magazine\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.codemotion.com\/magazine\/#organization","name":"Codemotion","url":"https:\/\/www.codemotion.com\/magazine\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/logo\/image\/","url":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2019\/11\/codemotionlogo.png","contentUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2019\/11\/codemotionlogo.png","width":225,"height":225,"caption":"Codemotion"},"image":{"@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Codemotion.Italy\/","https:\/\/x.com\/CodemotionIT"]},{"@type":"Person","@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/55131e26e4c59236d55c04a6bb1363d0","name":"Norman Di Palo","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.codemotion.com\/magazine\/#\/schema\/person\/image\/","url":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2024\/03\/norman-di-palo-100x100.jpeg","contentUrl":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2024\/03\/norman-di-palo-100x100.jpeg","caption":"Norman Di Palo"},"description":"My name is Norman Di Palo, I\u2019m a Robotics and Artificial Intelligence student, researcher and consultant from Rome, Italy. I'm a public speaker and I've given several talks at tech events. I am founder and consultant for startups in Rome and Palo Alto. I write about my work and research on my blog, that is read by tens of thousands of people. I mostly enjoy robotics, deep learning, design, vinyls, and good coffee.","url":"https:\/\/www.codemotion.com\/magazine\/author\/norman-di-palo\/"}]}},"featured_image_src":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling-600x400.jpg","featured_image_src_square":"https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling-600x600.jpg","author_info":{"display_name":"Norman Di Palo","author_link":"https:\/\/www.codemotion.com\/magazine\/author\/norman-di-palo\/"},"uagb_featured_image_src":{"full":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg",1919,1080,false],"thumbnail":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling-150x150.jpg",150,150,true],"medium":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling-300x169.jpg",300,169,true],"medium_large":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling-768x432.jpg",768,432,true],"large":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling-1024x576.jpg",1024,576,true],"1536x1536":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling-1536x864.jpg",1536,864,true],"2048x2048":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg",1919,1080,false],"small-home-featured":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling.jpg",100,56,false],"sidebar-featured":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling-180x128.jpg",180,128,true],"genesis-singular-images":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling-896x504.jpg",896,504,true],"archive-featured":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling-400x225.jpg",400,225,true],"gb-block-post-grid-landscape":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling-600x400.jpg",600,400,true],"gb-block-post-grid-square":["https:\/\/www.codemotion.com\/magazine\/wp-content\/uploads\/2022\/04\/Threat-modeling-600x600.jpg",600,600,true]},"uagb_author_info":{"display_name":"Norman Di Palo","author_link":"https:\/\/www.codemotion.com\/magazine\/author\/norman-di-palo\/"},"uagb_comment_info":0,"uagb_excerpt":"Threat Modeling is a security design process to identify potential threats that may impact web and mobile digital applications and determine the correct controls to produce effective countermeasures. Discover essential steps, concepts, and best practices in this guide created with insights by Accenture. An introduction to Threat Modeling In recent years, the need for Threat&#8230;&hellip;","lang":"en","_links":{"self":[{"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/posts\/17614","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/users\/58"}],"replies":[{"embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/comments?post=17614"}],"version-history":[{"count":8,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/posts\/17614\/revisions"}],"predecessor-version":[{"id":17629,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/posts\/17614\/revisions\/17629"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/media\/17620"}],"wp:attachment":[{"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/media?parent=17614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/categories?post=17614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/tags?post=17614"},{"taxonomy":"collections","embeddable":true,"href":"https:\/\/www.codemotion.com\/magazine\/wp-json\/wp\/v2\/collections?post=17614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}