Skip to content

Lab 1 — Threat Modeling

Microsoft Threat Modeling Tool — What it is, what it does, and how to use it

The Microsoft Threat Modeling Tool is a security-focused application that helps teams identify, categorize, and prioritize potential threats to a system using the STRIDE methodology (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege). It allows you to create Data Flow Diagrams (DFDs), define trust boundaries and assets, automatically generate threat lists, and capture recommended mitigations.

How to use it: - Create a new model and draw your system's components and data flows (DFD). - Mark trust boundaries, entry points, and data stores. - Assign technologies and properties to components (e.g., authentication, encryption). - Run the analysis to generate threats and suggested mitigations. - Export the report and diagrams (PDF/HTML/PNG) for documentation.

What the assignment asks me to do

The lab requires performing a threat modeling exercise for the OrcunCorp Document Sharing Tool. Deliverables typically include: - A context diagram and detailed DFD(s) that show system components, data flows, and trust boundaries. - A threat analysis (generated and reviewed) listing relevant STRIDE threats. - Proposed mitigations or countermeasures for the identified threats. - Exported artifacts and a written report summarizing findings and recommendations.

What I did

  • Created the system context diagram and one or more detailed DFDs in the Microsoft Threat Modeling Tool.
  • Identified and reviewed threats generated by the tool, classified them using STRIDE, and documented priority levels.
  • Proposed mitigations for key threats (for example, protections against SQL injection and data exposure at trust boundaries).
  • Exported the model and artifacts (report, HTML export, and diagrams) for submission.

Sharing note

Note: Due to the ownership warning below, I could not share the full assignment materials.

THIS MATERIAL IS A PROPERTY OF SABANCI UNIVERSITY. ANY UNAUTHORIZED USE OR DISTRIBUTION IS STRICTLY PROHIBITED