threat-model-generator
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseThreat Model Generator
威胁模型生成器
Systematically identify and mitigate security threats.
系统性地识别并缓解安全威胁。
STRIDE Methodology
STRIDE方法论
S - Spoofing: Impersonating someone/something
T - Tampering: Modifying data or code
R - Repudiation: Claiming you didn't do something
I - Information Disclosure: Exposing protected information
D - Denial of Service: Making system unavailable
E - Elevation of Privilege: Gaining unauthorized permissionsS - Spoofing: Impersonating someone/something
T - Tampering: Modifying data or code
R - Repudiation: Claiming you didn't do something
I - Information Disclosure: Exposing protected information
D - Denial of Service: Making system unavailable
E - Elevation of Privilege: Gaining unauthorized permissionsAsset Identification
资产识别
typescript
interface Asset {
name: string;
type: "data" | "service" | "user" | "infrastructure";
sensitivity: "public" | "internal" | "confidential" | "restricted";
criticality: "low" | "medium" | "high" | "critical";
}
const assets: Asset[] = [
{
name: "User Credentials (passwords, tokens)",
type: "data",
sensitivity: "restricted",
criticality: "critical",
},
{
name: "Payment Information (credit cards)",
type: "data",
sensitivity: "restricted",
criticality: "critical",
},
{
name: "API Service",
type: "service",
sensitivity: "internal",
criticality: "high",
},
{
name: "User Profile Data",
type: "data",
sensitivity: "confidential",
criticality: "medium",
},
];typescript
interface Asset {
name: string;
type: "data" | "service" | "user" | "infrastructure";
sensitivity: "public" | "internal" | "confidential" | "restricted";
criticality: "low" | "medium" | "high" | "critical";
}
const assets: Asset[] = [
{
name: "User Credentials (passwords, tokens)",
type: "data",
sensitivity: "restricted",
criticality: "critical",
},
{
name: "Payment Information (credit cards)",
type: "data",
sensitivity: "restricted",
criticality: "critical",
},
{
name: "API Service",
type: "service",
sensitivity: "internal",
criticality: "high",
},
{
name: "User Profile Data",
type: "data",
sensitivity: "confidential",
criticality: "medium",
},
];Threat Enumeration
威胁枚举
typescript
interface Threat {
id: string;
category: "S" | "T" | "R" | "I" | "D" | "E";
description: string;
asset: string;
attackVector: string;
likelihood: "low" | "medium" | "high";
impact: "low" | "medium" | "high" | "critical";
riskScore: number;
}
const threats: Threat[] = [
{
id: "T-001",
category: "S",
description: "Attacker impersonates user with stolen credentials",
asset: "User Credentials",
attackVector: "Phishing, credential stuffing, brute force",
likelihood: "high",
impact: "critical",
riskScore: 9,
},
{
id: "T-002",
category: "T",
description: "SQL injection allows data modification",
asset: "User Profile Data",
attackVector: "Malicious SQL in input fields",
likelihood: "medium",
impact: "high",
riskScore: 7,
},
{
id: "T-003",
category: "I",
description: "API exposes sensitive user data without auth",
asset: "User Profile Data",
attackVector: "Direct API access, IDOR",
likelihood: "medium",
impact: "high",
riskScore: 7,
},
{
id: "T-004",
category: "D",
description: "DDoS attack overwhelms API",
asset: "API Service",
attackVector: "Volumetric attack, application-layer flood",
likelihood: "medium",
impact: "high",
riskScore: 7,
},
{
id: "T-005",
category: "E",
description: "Privilege escalation via role manipulation",
asset: "User Profile Data",
attackVector: "Parameter tampering, insecure direct object reference",
likelihood: "low",
impact: "critical",
riskScore: 6,
},
];typescript
interface Threat {
id: string;
category: "S" | "T" | "R" | "I" | "D" | "E";
description: string;
asset: string;
attackVector: string;
likelihood: "low" | "medium" | "high";
impact: "low" | "medium" | "high" | "critical";
riskScore: number;
}
const threats: Threat[] = [
{
id: "T-001",
category: "S",
description: "Attacker impersonates user with stolen credentials",
asset: "User Credentials",
attackVector: "Phishing, credential stuffing, brute force",
likelihood: "high",
impact: "critical",
riskScore: 9,
},
{
id: "T-002",
category: "T",
description: "SQL injection allows data modification",
asset: "User Profile Data",
attackVector: "Malicious SQL in input fields",
likelihood: "medium",
impact: "high",
riskScore: 7,
},
{
id: "T-003",
category: "I",
description: "API exposes sensitive user data without auth",
asset: "User Profile Data",
attackVector: "Direct API access, IDOR",
likelihood: "medium",
impact: "high",
riskScore: 7,
},
{
id: "T-004",
category: "D",
description: "DDoS attack overwhelms API",
asset: "API Service",
attackVector: "Volumetric attack, application-layer flood",
likelihood: "medium",
impact: "high",
riskScore: 7,
},
{
id: "T-005",
category: "E",
description: "Privilege escalation via role manipulation",
asset: "User Profile Data",
attackVector: "Parameter tampering, insecure direct object reference",
likelihood: "low",
impact: "critical",
riskScore: 6,
},
];Mitigation Strategies
缓解策略
typescript
interface Mitigation {
threatId: string;
strategy: string;
implementation: string;
effectiveness: "low" | "medium" | "high";
cost: "low" | "medium" | "high";
priority: 1 | 2 | 3;
}
const mitigations: Mitigation[] = [
{
threatId: "T-001",
strategy: "Multi-factor authentication",
implementation: "TOTP via authenticator app + SMS backup",
effectiveness: "high",
cost: "medium",
priority: 1,
},
{
threatId: "T-001",
strategy: "Rate limiting on login attempts",
implementation: "Max 5 attempts per 15 minutes per IP",
effectiveness: "medium",
cost: "low",
priority: 1,
},
{
threatId: "T-002",
strategy: "Parameterized queries",
implementation: "Use ORM (Prisma) for all database access",
effectiveness: "high",
cost: "low",
priority: 1,
},
{
threatId: "T-003",
strategy: "Authentication & Authorization",
implementation: "JWT tokens + RBAC middleware on all routes",
effectiveness: "high",
cost: "low",
priority: 1,
},
{
threatId: "T-004",
strategy: "Rate limiting & CDN",
implementation: "CloudFlare with rate limits + WAF rules",
effectiveness: "high",
cost: "medium",
priority: 2,
},
{
threatId: "T-005",
strategy: "Role-based access control",
implementation: "Enforce RBAC checks on all mutations",
effectiveness: "high",
cost: "low",
priority: 1,
},
];typescript
interface Mitigation {
threatId: string;
strategy: string;
implementation: string;
effectiveness: "low" | "medium" | "high";
cost: "low" | "medium" | "high";
priority: 1 | 2 | 3;
}
const mitigations: Mitigation[] = [
{
threatId: "T-001",
strategy: "Multi-factor authentication",
implementation: "TOTP via authenticator app + SMS backup",
effectiveness: "high",
cost: "medium",
priority: 1,
},
{
threatId: "T-001",
strategy: "Rate limiting on login attempts",
implementation: "Max 5 attempts per 15 minutes per IP",
effectiveness: "medium",
cost: "low",
priority: 1,
},
{
threatId: "T-002",
strategy: "Parameterized queries",
implementation: "Use ORM (Prisma) for all database access",
effectiveness: "high",
cost: "low",
priority: 1,
},
{
threatId: "T-003",
strategy: "Authentication & Authorization",
implementation: "JWT tokens + RBAC middleware on all routes",
effectiveness: "high",
cost: "low",
priority: 1,
},
{
threatId: "T-004",
strategy: "Rate limiting & CDN",
implementation: "CloudFlare with rate limits + WAF rules",
effectiveness: "high",
cost: "medium",
priority: 2,
},
{
threatId: "T-005",
strategy: "Role-based access control",
implementation: "Enforce RBAC checks on all mutations",
effectiveness: "high",
cost: "low",
priority: 1,
},
];Residual Risk Assessment
剩余风险评估
typescript
interface ResidualRisk {
threatId: string;
originalRisk: number;
mitigatedRisk: number;
residualRisk: number;
acceptanceReason?: string;
monitoringRequired: boolean;
}
function calculateResidualRisk(
threat: Threat,
mitigations: Mitigation[]
): ResidualRisk {
const threatMitigations = mitigations.filter((m) => m.threatId === threat.id);
// Calculate risk reduction
const maxEffectiveness = Math.max(
...threatMitigations.map((m) => {
if (m.effectiveness === "high") return 0.8;
if (m.effectiveness === "medium") return 0.5;
return 0.2;
})
);
const mitigatedRisk = threat.riskScore * (1 - maxEffectiveness);
return {
threatId: threat.id,
originalRisk: threat.riskScore,
mitigatedRisk,
residualRisk: Math.round(mitigatedRisk),
acceptanceReason:
mitigatedRisk < 3 ? "Risk reduced to acceptable level" : undefined,
monitoringRequired: mitigatedRisk >= 3,
};
}typescript
interface ResidualRisk {
threatId: string;
originalRisk: number;
mitigatedRisk: number;
residualRisk: number;
acceptanceReason?: string;
monitoringRequired: boolean;
}
function calculateResidualRisk(
threat: Threat,
mitigations: Mitigation[]
): ResidualRisk {
const threatMitigations = mitigations.filter((m) => m.threatId === threat.id);
// Calculate risk reduction
const maxEffectiveness = Math.max(
...threatMitigations.map((m) => {
if (m.effectiveness === "high") return 0.8;
if (m.effectiveness === "medium") return 0.5;
return 0.2;
})
);
const mitigatedRisk = threat.riskScore * (1 - maxEffectiveness);
return {
threatId: threat.id,
originalRisk: threat.riskScore,
mitigatedRisk,
residualRisk: Math.round(mitigatedRisk),
acceptanceReason:
mitigatedRisk < 3 ? "Risk reduced to acceptable level" : undefined,
monitoringRequired: mitigatedRisk >= 3,
};
}Threat Model Document Template
威胁模型文档模板
markdown
undefinedmarkdown
undefinedThreat Model: User Authentication System
Threat Model: User Authentication System
Date: 2024-01-15
Owner: Security Team
Reviewers: Engineering, Product
Date: 2024-01-15
Owner: Security Team
Reviewers: Engineering, Product
1. System Overview
1. System Overview
Architecture
Architecture
- Frontend: React SPA
- Backend: Node.js + Express
- Database: PostgreSQL
- Auth: JWT tokens
- Frontend: React SPA
- Backend: Node.js + Express
- Database: PostgreSQL
- Auth: JWT tokens
Trust Boundaries
Trust Boundaries
- Internet → CDN
- CDN → Backend API
- Backend API → Database
- Internet → CDN
- CDN → Backend API
- Backend API → Database
2. Assets
2. Assets
| Asset | Type | Sensitivity | Criticality |
|---|---|---|---|
| User Credentials | Data | Restricted | Critical |
| Session Tokens | Data | Restricted | Critical |
| User Profile | Data | Confidential | Medium |
| Asset | Type | Sensitivity | Criticality |
|---|---|---|---|
| User Credentials | Data | Restricted | Critical |
| Session Tokens | Data | Restricted | Critical |
| User Profile | Data | Confidential | Medium |
3. Threats (STRIDE)
3. Threats (STRIDE)
Spoofing (S)
Spoofing (S)
T-001: Credential Theft
- Likelihood: High
- Impact: Critical
- Risk Score: 9
- Attack Vector: Phishing, credential stuffing
- Mitigations:
- MFA required for all accounts
- Rate limiting on login (5 attempts/15min)
- Breach password detection
- Residual Risk: 3 (Low)
T-001: Credential Theft
- Likelihood: High
- Impact: Critical
- Risk Score: 9
- Attack Vector: Phishing, credential stuffing
- Mitigations:
- MFA required for all accounts
- Rate limiting on login (5 attempts/15min)
- Breach password detection
- Residual Risk: 3 (Low)
Tampering (T)
Tampering (T)
T-002: Token Modification
- Likelihood: Medium
- Impact: High
- Risk Score: 7
- Attack Vector: Token tampering, replay attacks
- Mitigations:
- HMAC signature on JWT
- Short token expiry (15 min)
- Refresh token rotation
- Residual Risk: 2 (Low)
T-002: Token Modification
- Likelihood: Medium
- Impact: High
- Risk Score: 7
- Attack Vector: Token tampering, replay attacks
- Mitigations:
- HMAC signature on JWT
- Short token expiry (15 min)
- Refresh token rotation
- Residual Risk: 2 (Low)
Information Disclosure (I)
Information Disclosure (I)
T-003: Sensitive Data Leakage
- Likelihood: Medium
- Impact: High
- Risk Score: 7
- Attack Vector: Error messages, logs, API responses
- Mitigations:
- Generic error messages
- PII redaction in logs
- HTTPS everywhere
- Residual Risk: 2 (Low)
T-003: Sensitive Data Leakage
- Likelihood: Medium
- Impact: High
- Risk Score: 7
- Attack Vector: Error messages, logs, API responses
- Mitigations:
- Generic error messages
- PII redaction in logs
- HTTPS everywhere
- Residual Risk: 2 (Low)
4. Risk Summary
4. Risk Summary
| Priority | Threats | Mitigated | Residual Risk |
|---|---|---|---|
| P1 | 3 | 3 | Low |
| P2 | 2 | 1 | Medium |
| P3 | 1 | 0 | Medium |
| Priority | Threats | Mitigated | Residual Risk |
|---|---|---|---|
| P1 | 3 | 3 | Low |
| P2 | 2 | 1 | Medium |
| P3 | 1 | 0 | Medium |
5. Recommendations
5. Recommendations
-
Immediate (P1)
- Implement MFA
- Add rate limiting
- Deploy PII redaction
-
Short-term (P2)
- Add DDoS protection
- Implement RBAC auditing
-
Long-term (P3)
- Security training for team
- Penetration testing
-
Immediate (P1)
- Implement MFA
- Add rate limiting
- Deploy PII redaction
-
Short-term (P2)
- Add DDoS protection
- Implement RBAC auditing
-
Long-term (P3)
- Security training for team
- Penetration testing
6. Acceptance
6. Acceptance
- Security Team Approval
- Engineering Lead Approval
- Product Manager Approval
undefined- Security Team Approval
- Engineering Lead Approval
- Product Manager Approval
undefinedAutomated Threat Detection
自动化威胁检测
typescript
// scripts/detect-threats.ts
interface CodePattern {
pattern: RegExp;
threat: string;
severity: "low" | "medium" | "high" | "critical";
}
const patterns: CodePattern[] = [
{
pattern: /eval\(/,
threat: "Code injection via eval()",
severity: "critical",
},
{
pattern: /innerHTML\s*=/,
threat: "XSS via innerHTML",
severity: "high",
},
{
pattern: /process\.env\./,
threat: "Hardcoded environment variable",
severity: "medium",
},
{
pattern: /password|secret|key/i,
threat: "Potential secret in code",
severity: "high",
},
];typescript
// scripts/detect-threats.ts
interface CodePattern {
pattern: RegExp;
threat: string;
severity: "low" | "medium" | "high" | "critical";
}
const patterns: CodePattern[] = [
{
pattern: /eval\(/,
threat: "Code injection via eval()",
severity: "critical",
},
{
pattern: /innerHTML\s*=/,
threat: "XSS via innerHTML",
severity: "high",
},
{
pattern: /process\.env\./,
threat: "Hardcoded environment variable",
severity: "medium",
},
{
pattern: /password|secret|key/i,
threat: "Potential secret in code",
severity: "high",
},
];Best Practices
最佳实践
- Regular updates: Quarterly threat model reviews
- Include stakeholders: Security, Engineering, Product
- Document decisions: Why threats accepted/mitigated
- Test mitigations: Verify controls work
- Monitor residual risks: Track over time
- Automate where possible: Integrate into CI/CD
- 定期更新:每季度进行威胁模型评审
- 纳入利益相关者:安全、工程、产品团队共同参与
- 记录决策:记录威胁被接受/缓解的原因
- 测试缓解措施:验证控制措施有效
- 监控剩余风险:长期跟踪风险变化
- 尽可能自动化:集成到CI/CD流程中
Output Checklist
输出检查清单
- Assets identified and classified
- Threats enumerated using STRIDE
- Attack vectors documented
- Mitigations defined for each threat
- Residual risk calculated
- Risk acceptance documented
- Monitoring plan created
- Threat model document generated
- Stakeholder approval obtained
- Review schedule set
- 已识别并分类资产
- 使用STRIDE枚举威胁
- 已记录攻击向量
- 为每个威胁定义缓解策略
- 已计算剩余风险
- 已记录风险接受说明
- 已制定监控计划
- 已生成威胁模型文档
- 已获得利益相关者批准
- 已设定评审计划