Skip to main content

Threat Modeling Lab

Retrieval Prompts

  1. State each letter of STRIDE and one cloud-service example per letter.
  2. State the four OWASP threat-modeling questions in order.
  3. Explain in one sentence why identity is the "new perimeter" and what a Zero Trust credential looks like.
  4. Name the four layers of defense in depth and what class of failure each defends against.
  5. Explain why a threat model should fit on one page for a first pass.

Compare and Distinguish

Separate these pairs clearly:

  • threat vs vulnerability vs risk
  • STRIDE vs a vulnerability scan
  • authentication vs authorization
  • network boundary vs identity boundary
  • a single strong control vs layered imperfect controls

Common Mistake Check

For each statement, identify the error and the corrected version:

  1. "We turned on encryption and enabled MFA, so the threat model is done."
  2. "The database is in a private subnet, so application-level authorization is optional."
  3. "This IAM role has *:* but it is 'only used for deploys', so it is safe."
  4. "We have a threat model, but nobody has updated it in a year -- the system has not changed much, so we are fine."

Mini Application

Local-first option: run the threat model against a diagram, Docker Compose stack, or kind/minikube/k3d deployment before mapping controls to paid cloud services.

Choose one of the following architectures (or bring your own). Spend 45-60 minutes producing a real threat model.

Architecture A: Image uploads service

  • clients upload images to an HTTPS API
  • API places the image in object storage
  • a worker pulls from a queue, resizes, writes thumbnails back to object storage
  • metadata goes to local Postgres or a managed SQL DB
  • results are served through a CDN

Architecture B: Internal CI/CD worker pool

  • developers push to a Git repo
  • webhooks fire a build in an internal runner
  • runners authenticate to local mocks or the cloud via OIDC federation
  • builds push container images to a registry
  • a cluster admission controller verifies signatures and runs the image

For the chosen system produce:

  1. One diagram (boxes + arrows + trust boundaries).
  2. Assets list.
  3. One STRIDE finding per letter.
  4. One concrete mitigation per finding, named and owned.
  5. One paragraph at the end: which layer (network, host, app, data) is currently load-bearing alone, and what would you add next?

Evidence Check

This page is complete when:

  • you produced the six STRIDE findings with mitigations
  • you can explain each mitigation without looking at notes
  • you can point to one external source (OWASP / NIST / cloud provider) per finding that justifies the control
  • you can say which finding you'd fix first under a one-week time box, and why