// Ttampering: description: Modifying data or code maliciously targets: [dataintegrity, codeintegrity] example: "Altering transaction amounts in transit"
| name | threat-modeling |
| category | security |
| difficulty | intermediate |
| nist_controls | ["RA-3","RA-5"] |
| tags | ["stride","risk-assessment","attack-trees","dfd","threat-analysis"] |
| related_skills | ["security-testing","secure-coding","vulnerability-management"] |
| learning_path | security |
| estimated_time | 4-6 hours |
| prerequisites | ["security-fundamentals","architecture-basics"] |
| description | Ttampering: description: Modifying data or code maliciously targets: [dataintegrity, codeintegrity] example: "Altering transaction amounts in transit" |
Identify, prioritize, and mitigate security threats systematically using STRIDE methodology
threats:
S_spoofing:
description: Impersonating something or someone else
targets: [authentication, identity]
example: "Using stolen credentials to access system"
T_tampering:
description: Modifying data or code maliciously
targets: [data_integrity, code_integrity]
example: "Altering transaction amounts in transit"
R_repudiation:
description: Claiming to not have performed an action
targets: [logging, audit_trails]
example: "Denying fraudulent transaction was performed"
I_information_disclosure:
description: Exposing information to unauthorized parties
targets: [confidentiality, data_protection]
example: "Leaking customer PII through error messages"
D_denial_of_service:
description: Making system unavailable or degraded
targets: [availability, performance]
example: "Overwhelming API with requests"
E_elevation_of_privilege:
description: Gaining unauthorized higher access level
targets: [authorization, access_control]
example: "Exploiting bug to gain admin rights"
What are we building?
What can go wrong?
What should we do about it?
Did we do a good job?
Planning Phase:
Analysis Phase:
Prioritization:
Mitigation:
Documentation:
📚 Full Examples: See REFERENCE.md for complete code samples, detailed configurations, and production-ready implementations.
Implementation Guide
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
See REFERENCE.md for complete implementation.
// TODO: Add basic example for threat-modeling
// This example demonstrates core functionality
// TODO: Add advanced example for threat-modeling
// This example shows production-ready patterns
// TODO: Add integration example showing how threat-modeling
// works with other systems and services
See examples/threat-modeling/ for complete working examples.
This skill integrates with:
Problem: Not testing edge cases and error conditions leads to production bugs
Solution: Implement comprehensive test coverage including:
Prevention: Enforce minimum code coverage (80%+) in CI/CD pipeline
Problem: Hardcoding values makes applications inflexible and environment-dependent
Solution: Use environment variables and configuration management:
Prevention: Use tools like dotenv, config validators, and secret scanners
Problem: Security vulnerabilities from not following established security patterns
Solution: Follow security guidelines:
Prevention: Use security linters, SAST tools, and regular dependency updates
Best Practices:
Next Steps:
templates/stride-template.md for your first threat modeldata-flow-diagram.mdthreat-report-generator.py to create reportsresources/stride-examples.mdRelated Skills: [security-testing] [secure-coding] [vulnerability-management]