// Ttampering: description: Modifying data or code maliciously targets: [dataintegrity, codeintegrity] example: "Altering transaction amounts in transit"
Orchestration & Events:
Kubernetes standards for container orchestration, deployments, services, ingress, ConfigMaps, Secrets, and security policies. Covers production-ready configurations, monitoring, and best practices for cloud-native applications.
Master Kotlin coding standards with null safety, coroutines, and idiomatic patterns. Use when developing JVM/Android applications requiring type-safe async programming.
Comprehensive coding standards and best practices for maintainable, consistent software development across multiple languages and paradigms
React frontend standards covering hooks (useState, useEffect, useContext, custom hooks), state management (Context API, Redux, Zustand), performance optimization (memoization, lazy loading, code splitting), testing with React Testing Library, and accessibility (WCAG 2.1, ARIA) for modern SPAs
Security Operations Center (SOC) practices, incident response, SIEM management, and threat hunting following NIST 800-61
| name | threat-modeling |
| category | security |
| difficulty | intermediate |
| nist_controls | ["RA-3","RA-5"] |
| tags | ["stride","risk-assessment","attack-trees","dfd","threat-analysis"] |
| related_skills | ["security-testing","secure-coding","vulnerability-management"] |
| learning_path | security |
| estimated_time | 4-6 hours |
| prerequisites | ["security-fundamentals","architecture-basics"] |
| description | Ttampering: description: Modifying data or code maliciously targets: [dataintegrity, codeintegrity] example: "Altering transaction amounts in transit" |
Identify, prioritize, and mitigate security threats systematically using STRIDE methodology
threats:
S_spoofing:
description: Impersonating something or someone else
targets: [authentication, identity]
example: "Using stolen credentials to access system"
T_tampering:
description: Modifying data or code maliciously
targets: [data_integrity, code_integrity]
example: "Altering transaction amounts in transit"
R_repudiation:
description: Claiming to not have performed an action
targets: [logging, audit_trails]
example: "Denying fraudulent transaction was performed"
I_information_disclosure:
description: Exposing information to unauthorized parties
targets: [confidentiality, data_protection]
example: "Leaking customer PII through error messages"
D_denial_of_service:
description: Making system unavailable or degraded
targets: [availability, performance]
example: "Overwhelming API with requests"
E_elevation_of_privilege:
description: Gaining unauthorized higher access level
targets: [authorization, access_control]
example: "Exploiting bug to gain admin rights"
What are we building?
What can go wrong?
What should we do about it?
Did we do a good job?
Planning Phase:
Analysis Phase:
Prioritization:
Mitigation:
Documentation:
📚 Full Examples: See REFERENCE.md for complete code samples, detailed configurations, and production-ready implementations.
Implementation Guide
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
// TODO: Add basic example for threat-modeling
// This example demonstrates core functionality
// TODO: Add advanced example for threat-modeling
// This example shows production-ready patterns
// TODO: Add integration example showing how threat-modeling
// works with other systems and services
See examples/threat-modeling/ for complete working examples.
This skill integrates with:
Problem: Not testing edge cases and error conditions leads to production bugs
Solution: Implement comprehensive test coverage including:
Prevention: Enforce minimum code coverage (80%+) in CI/CD pipeline
Problem: Hardcoding values makes applications inflexible and environment-dependent
Solution: Use environment variables and configuration management:
Prevention: Use tools like dotenv, config validators, and secret scanners
Problem: Security vulnerabilities from not following established security patterns
Solution: Follow security guidelines:
Prevention: Use security linters, SAST tools, and regular dependency updates
Best Practices:
Next Steps:
templates/stride-template.md for your first threat modeldata-flow-diagram.mdthreat-report-generator.py to create reportsresources/stride-examples.mdRelated Skills: [security-testing] [secure-coding] [vulnerability-management]