Threat modeling is hypothesis generation for an adversary. Walk the change set as the attacker would: where does untrusted input enter, what trust boundary does it cross, what does it gain on the other side. Every unaudited path is a free move for the attacker.
When to Apply / NOT
Apply: new external surface (HTTP route, RPC method, file upload); AuthN/AuthZ change; deserialization / parsing of untrusted input; new dependency or major-version upgrade; cryptographic change; pre-release of public-facing service; incident postmortem.
NOT apply: internal refactor with no trust-boundary delta; pure performance work; documentation-only changes; internal-only experimental code.
Anti-patterns
- Allowlist-by-omission: treating "no obvious issue" as "secure".
- Crypto improvisation: hand-rolling primitives.
- Trust the client: validating only client-side.
- Logging secrets: tokens, PII, session cookies in logs.
- Default-permit ACL: authorization checks on opt-in basis.
- Magic-string config: secrets in source / env files.
- Outdated SBOM: stale dependency snapshots.
- Skipping the threat model: jumping to checklist without naming assets/actors/boundaries.
STRIDE Question Template
Apply each prompt to every component touched by the change.
| Letter | Threat | Required questions |
|---|---|---|
| S | Spoofing | Who is the principal? How is identity proven? Can the credential be forged, replayed, or stolen? Is MFA / mutual-auth enforced? |
| T | Tampering | What inputs cross the trust boundary? Are they validated against an explicit schema (Zod / Pydantic / serde)? Are messages integrity-protected (HMAC / signature / TLS)? |
| R | Repudiation | Are security-relevant actions logged with actor + timestamp + outcome? Are logs append-only / tamper-evident? |
| I | Information Disclosure | What data is returned in error paths, logs, telemetry? Are PII / secrets ever serialized? Are timing side-channels addressed (constant-time compare)? |
| D | Denial of Service | Are inputs bounded (size, count, depth)? Is parsing resource-limited (zip-bomb, billion-laughs, ReDoS)? Are external calls rate-limited? |
| E | Elevation of Privilege | What privilege does the new code execute under? Is least privilege honored? Can input alter privilege (path traversal, SQL injection, deserialization gadget)? |
For each "yes" / "unclear" answer, file a finding with severity and remediation owner.
OWASP Top 10 (2021) Walkthrough
- Broken Access Control —
git grep -n -C 3 'authorize\|@PreAuthorize\|require_role'then trace policy. - Cryptographic Failures —
git grep -n -E 'MD5|SHA1|DES|Random\(\)'for weak primitives. Use-E(extended regex) for alternation;-F(fixed-string) breaks the pipe-as-OR. Add ecosystem patterns as needed:Math.random,secrets.choice,Mersenneconstants. - Injection —
ast-greppatterns for unparameterized queries / shell concat / template eval. - Insecure Design — threat model walk; cross-check STRIDE.
- Security Misconfiguration — TLS / CORS / CSP / cookie flags / debug toggles.
- Vulnerable & Outdated Components — language-family CVE scanner.
- Identification & Authentication Failures — token TTL, refresh, session fixation, MFA.
- Software & Data Integrity Failures — lockfile pinned; signature-verified artifacts; CI provenance.
- Security Logging & Monitoring Failures — audit log coverage; alert on auth-fail / privilege-escalation.
- Server-Side Request Forgery — egress allowlist; SSRF guard on URL inputs.
Parallel Dep-Audit Tooling
| Family | CVE scanner | Secrets / history | SBOM |
|---|---|---|---|
| Rust | cargo audit, cargo deny check advisories | gitleaks, trufflehog | cargo cyclonedx, syft |
| Python | pip-audit, safety check | gitleaks, detect-secrets | cyclonedx-py, syft |
| JavaScript/TypeScript | npm audit, pnpm audit, bun audit | gitleaks, trufflehog | cyclonedx-bom, syft |
| Go | govulncheck, nancy | gitleaks, trufflehog | cyclonedx-gomod, syft |
| Java/Kotlin | OWASP Dependency-Check, gradle dependencyCheckAnalyze | gitleaks, trufflehog | CycloneDX Gradle/Maven, syft |
| OCaml | opam audit, opam-repository advisory feed | gitleaks, detect-secrets | syft (filesystem) |
Use fd -e <ext> (not find). Use git grep -n -F 'literal' (not grep). Use bat -P -p -n (not cat).
Constitutional Rules
- Default deny.
- Validate at the trust boundary — schema-validate every input.
- Never roll your own crypto.
- No secrets in source — vault-only; enforce via
gitleaks. - Pin and verify — lockfiles checked in, integrity hashes enforced.
- Log security events — every AuthN/AuthZ outcome.
- Severity is a contract — Critical/high block merge.