基于STRIDE的威胁模型分析

v20260618

security-threat-model

该技能使用STRIDE框架为任何服务或功能生成完整的结构化威胁模型。它引导用户识别关键资产、定义信任边界，枚举特定的威胁（包括伪造、篡改、拒绝、信息泄露、拒绝服务、权限提升），评估风险，并提出具体的缓解措施。适用于安全设计评审和文档撰写。

安全威胁建模 STRIDE 架构设计设计评审

237 次下载

概览

Security Threat Model Skill

Produce a complete STRIDE-based threat model for a service or feature. A threat model is not a list of things that could go wrong — it is a structured analysis of attackers, assets, boundaries, and controls that lets an engineering team make informed, documented security decisions.

A good threat model is specific enough that a new engineer can understand what is being protected, why each control exists, and what risk the team has accepted.

Required Inputs

Ask for these if not already provided:

Service name and description — what the service does, who uses it
Architecture overview — components, dependencies, data flows (a diagram description or ASCII diagram is fine)
Deployment environment — cloud provider, VPC/network topology, where it runs (Kubernetes, ECS, VMs, serverless)
Data sensitivity — what data does this service handle? PII, payment data, credentials, internal-only?
Existing controls — authentication method, encryption in transit/at rest, current WAF/firewall, existing security scanning
Trust levels — who are the principals? (anonymous public, authenticated users, internal services, admins)

Output Format

Security Threat Model: [Service Name]

Service: [Name] | Team: [Team name] Author: [Name] | Reviewed by: [Security lead / peer] Date: [Date] | Next review: [Date — recommend 6 months or after major architecture change] Classification: [Internal / Confidential]

1. Overview

[2–3 sentences describing the service, its role in the system, and the scope of this threat model. State what is in scope and what is explicitly out of scope.]

In scope:

[Component or data flow]
[Component or data flow]

Out of scope:

[e.g. Third-party payment processor internals]
[e.g. Corporate network / end-user devices]

2. Asset Register

Assets are the things worth protecting — data, capabilities, and reputational value.

Asset	Description	Sensitivity	Owner
[e.g. User PII]	Names, email addresses, profile data	High — GDPR-regulated	[Team]
[e.g. API credentials]	Service-to-service auth tokens	Critical	[Team]
[e.g. Session tokens]	User authentication state	High	[Team]
[e.g. Audit logs]	Record of user and admin actions	Medium	[Team]
[e.g. Service availability]	Uptime of the [X] endpoint	Medium	[Team]

Data classification key:

Critical — Credential material; exposure enables direct system compromise
High — PII, financial data, health data; regulated or high reputational impact
Medium — Internal configuration, non-sensitive business data
Low — Public information, anonymised data

3. Trust Boundaries and Architecture

Trust boundaries are the lines that separate zones with different trust levels. Threats often occur when data or requests cross a boundary.

  ┌─────────────────────────────────────────────────────────────────┐
  │  INTERNET (Untrusted)                                           │
  │                                                                 │
  │   [Public User]          [Bot / Attacker]                       │
  └──────────────────────────────┬──────────────────────────────────┘
                                 │ HTTPS
                    ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─
                    Trust Boundary: Public → DMZ
                    ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─
                                 ▼
  ┌──────────────────────────────────────────────────────────────────┐
  │  DMZ / Edge Layer                                                │
  │   ┌────────────┐     ┌──────────────┐                           │
  │   │  WAF / CDN │────▶│  API Gateway │                           │
  │   └────────────┘     └──────┬───────┘                           │
  └──────────────────────────────┼───────────────────────────────────┘
                    ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─
                    Trust Boundary: Edge → Application VPC
                    ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─
                                 ▼
  ┌──────────────────────────────────────────────────────────────────┐
  │  Application VPC (Private)                                       │
  │   ┌──────────────┐     ┌────────────┐     ┌──────────────────┐  │
  │   │  [Service A] │────▶│ [Service B]│────▶│  [Database]      │  │
  │   └──────────────┘     └────────────┘     └──────────────────┘  │
  │                                ▲                                  │
  │                                │                                  │
  │   ┌──────────────┐             │                                  │
  │   │  Admin (IAM) │─────────────┘                                 │
  └──────────────────────────────────────────────────────────────────┘

Trust Boundaries identified:

Boundary	From	To	Auth mechanism	Encrypted
TB-1	Public internet	API Gateway	[JWT / OAuth / API key]	TLS 1.2+
TB-2	API Gateway	Service A	[mTLS / internal JWT / IAM role]	[Yes/No]
TB-3	Service A	Database	[Connection string + IAM / username+password]	[Yes/No]
TB-4	Admin	Service B	[IAM role / VPN + MFA]	TLS

4. STRIDE Threat Analysis

STRIDE is a threat classification framework. For each significant component, enumerate threats in each category.

STRIDE key:

S — Spoofing: Impersonating another user, service, or system
T — Tampering: Modifying data or code without authorisation
R — Repudiation: Denying an action occurred; insufficient audit trail
I — Information Disclosure: Exposing data to unauthorised parties
D — Denial of Service: Making the service unavailable
E — Elevation of Privilege: Gaining capabilities beyond what is authorised

Component: [API Gateway / Auth Layer]

ID	Category	Threat	Attack vector	Existing control
T-001	S	Attacker forges a JWT token to authenticate as another user	Weak signing key or algorithm confusion (alg:none)	[e.g. RS256 with key rotation / none]
T-002	S	Attacker replays a stolen session token	Theft via XSS or network sniff	[e.g. Token expiry + refresh rotation]
T-003	T	Attacker modifies request headers to bypass tenant isolation	Missing validation of tenant ID header	[e.g. Server-side tenant resolution / none]
T-004	R	No audit trail for admin authentication events	Logging not configured for auth failures	[e.g. CloudTrail enabled / none]
T-005	I	Auth error messages reveal whether an email exists	Verbose error responses	[e.g. Normalised error responses / none]
T-006	D	Credential stuffing exhausts rate limits and blocks legitimate users	Automated login attempts	[e.g. Rate limiting per IP + CAPTCHA / none]
T-007	E	Compromised low-privilege token used to call admin endpoint	Missing role check on admin routes	[e.g. RBAC middleware on all routes / none]

Component: [Application Service / Business Logic]

ID	Category	Threat	Attack vector	Existing control
T-008	T	SQL/NoSQL injection via unsanitised user input	Unparameterised queries	[e.g. ORM with parameterised queries / none]
T-009	T	Mass assignment — attacker sets fields they should not (e.g. `isAdmin: true`)	API accepts extra fields without allowlist	[e.g. Input validation / none]
T-010	I	Insecure direct object reference — user accesses another user's resource	Missing ownership check on resource ID	[e.g. Ownership middleware / none]
T-011	I	Sensitive data in application logs (PII, tokens)	Over-logging in debug mode	[e.g. Log scrubbing / none]
T-012	D	Unprotected expensive endpoint triggers large DB scan	No pagination or query cost limit	[e.g. Pagination enforced / none]
T-013	R	Business-critical state changes not logged	No audit event on [operation]	[e.g. Audit log table / none]

Component: [Database]

ID	Category	Threat	Attack vector	Existing control
T-014	I	Database exposed to internet (misconfigured security group)	Direct connection from outside VPC	[e.g. No public IP, security group restricts to app subnet]
T-015	I	Backup snapshots not encrypted or accessible to wrong accounts	Unencrypted snapshot, public S3	[e.g. Encrypted snapshots, private S3 bucket]
T-016	T	Privilege escalation via DB account with excessive permissions	App uses a superuser DB account	[e.g. Least-privilege DB role per service / none]
T-017	D	Runaway query or bulk delete causes data loss or outage	No query timeout or soft-delete	[e.g. Statement timeout, soft-delete on critical tables / none]

Component: [Internal Service-to-Service Communication]

ID	Category	Threat	Attack vector	Existing control
T-018	S	Rogue internal service impersonates a trusted service	No mutual authentication between services	[e.g. mTLS / service mesh / none]
T-019	I	Internal traffic sniffed on shared network	Unencrypted service-to-service calls	[e.g. Service mesh with TLS / none]
T-020	E	Compromised internal service calls privileged endpoints	No scoping on internal tokens	[e.g. Scoped service tokens / none]

5. Risk Register

Score each threat: Likelihood (1–5) × Impact (1–5) = Risk Score (1–25)

Priority bands: Critical (20–25) | High (12–19) | Medium (6–11) | Low (1–5)

ID	Threat summary	Likelihood	Impact	Score	Priority	Status
T-001	JWT forgery — auth bypass	2	5	10	Medium	[Open / Mitigated / Accepted]
T-002	Session token replay	3	4	12	High	[Open / Mitigated / Accepted]
T-007	Privilege escalation via missing role check	3	5	15	High	[Open / Mitigated / Accepted]
T-008	SQL injection	2	5	10	Medium	[Open / Mitigated / Accepted]
T-010	IDOR — cross-user data access	3	4	12	High	[Open / Mitigated / Accepted]
T-014	Database exposed to internet	1	5	5	Low	[Open / Mitigated / Accepted]
T-018	Rogue internal service impersonation	2	4	8	Medium	[Open / Mitigated / Accepted]

6. Mitigations Table

For every Open threat with priority Medium or above, define a specific mitigation.

ID	Threat	Mitigation	Owner	Target date	Ticket
T-002	Session token replay	Implement token rotation on refresh — invalidate old token server-side immediately	[Engineer name]	[Date]	[JIRA-123]
T-007	Privilege escalation	Add RBAC middleware to all `/admin/*` routes; write integration test for role boundary	[Engineer name]	[Date]	[JIRA-124]
T-010	IDOR	Add ownership assertion to all resource-fetching service methods; add to code review checklist	[Engineer name]	[Date]	[JIRA-125]
T-011	PII in logs	Audit logging calls for PII fields; add scrubbing to logger middleware	[Engineer name]	[Date]	[JIRA-126]
T-018	Rogue service impersonation	Enable mTLS via service mesh or issue scoped service tokens per service	[Engineer name]	[Date]	[JIRA-127]

7. Accepted Risks

Accepted risks are threats the team has decided not to mitigate right now. Every accepted risk must have a named owner and a review date.

ID	Threat	Reason for acceptance	Risk owner	Review date
T-014	Database public exposure	Database has no public IP assigned; control already in place — accepted as low likelihood	[Name]	[Date]
[ID]	[Threat]	[Reason — e.g. "Effort exceeds risk at current scale; re-evaluate at 10× traffic"]	[Name]	[Date]

8. Security Controls Summary

Control	Type	Covers threats	Implemented
JWT RS256 with 15-min expiry	Preventive	T-001, T-002	[Yes / Partial / No]
RBAC middleware on all routes	Preventive	T-007, T-020	[Yes / Partial / No]
Parameterised queries (ORM)	Preventive	T-008	[Yes / Partial / No]
Rate limiting (100 req/min per IP)	Preventive	T-006, T-012	[Yes / Partial / No]
CloudTrail / audit logging	Detective	T-004, T-013	[Yes / Partial / No]
Automated SAST in CI pipeline	Detective	T-008, T-009	[Yes / Partial / No]
Encrypted backups + private S3	Preventive	T-015	[Yes / Partial / No]
Least-privilege DB role	Preventive	T-016	[Yes / Partial / No]
Incident response runbook	Corrective	All	[Yes / Partial / No]

9. Review Cadence

Trigger	Action
Every 6 months	Full threat model review — update risk scores, close mitigated items
Major architecture change	Update trust boundary diagram and re-run STRIDE for new components
Security incident	Review relevant threats; add any newly discovered vectors
New data classification	Add assets to register; assess whether new STRIDE categories apply
Third-party dependency added	Assess supply chain threats for the new dependency

Next scheduled review: [Date] Review owner: [Name / Security lead]

Quality Checks

Every trust boundary is named and its authentication mechanism is specified — not left as "TBD"
Every Critical and High risk in the risk register has a mitigation with a named owner and a target date
Every accepted risk has a named risk owner and a review date — no unowned accepted risks
The asset register includes data sensitivity levels and at least one entry for credential material
STRIDE analysis covers all major components — not just the API layer
Mitigation actions are specific enough to become a ticket (not "improve security")
The ASCII trust boundary diagram matches the architecture description provided

Anti-Patterns

Do not restrict STRIDE analysis to only the API layer — threats exist at every component including the database and internal services
Do not leave mitigations as vague directives like "improve security" — every mitigation must be specific enough to become a ticket
Do not accept risks without a named owner and a review date — unowned accepted risks are not managed risks
Do not write a threat model that covers only theoretical threats — prioritise by likelihood and impact using the risk register
Do not omit the asset register — without knowing what is being protected, the STRIDE analysis has no anchor

信息

Category 编程开发

Name security-threat-model

版本 v20260618

大小 16.21KB

Source mohitagw15856/pm-claude-skills

更新时间 2026-06-19