Threat modeling 是一个结构化的过程,用于识别系统的潜在 security threats 并规划防御措施——系统地思考可能出错的地方、谁可能发起攻击以及如何应对。这是一种主动的安全方法,在设计阶段进行。
Threat modeling 是什么
Threat modeling = systematically analyzing a system to find SECURITY THREATS and decide
how to mitigate them — BEFORE building (or as a review):
→ understand the system (data flows, components, trust boundaries, assets)
→ identify THREATS (what could an attacker do? where are the weak points?)
→ assess and prioritize risks; plan MITIGATIONS
→ proactive security: design defenses by thinking like an attacker, early.
常见方法(和 STRIDE)
Typical questions:
1. What are we building? (diagram the system, data flows, trust boundaries)
2. What can go wrong? (identify threats)
3. What do we do about it? (mitigations)
4. Did we do a good job? (review)
STRIDE → a framework for categorizing threats:
Spoofing, Tampering, Repudiation, Information disclosure, Denial of service,
Elevation of privilege
→ helps systematically consider threat types per component/data flow.
