Scroll to discover
See a Demo

Pricing

chevrons

Community

chevrons
Book a demo
Skip to content

Which Threat Modeling Methodology is Best for Your Organization?

Learn how threat modeling and associated methodologies can improve the evaluation of cybersecurity threats, and provide actionable countermeasures

Firstly, what is threat modeling?

The idea of building security into new hardware and software products from the outset has gained ground over the last few years. The move to "shift left" and introduction of security by design has gained ground, following growing concerns about supply chain attacks.

One way to achieve this is through threat modeling. Threat modeling is not, itself, new: Microsoft did pioneering work on it in the Nineties. But it is now being adopted by bodies such as NIST, with the goal of reducing zero-day vulnerabilities. It was also referenced in the OWASP Top Ten under ‘Insecure Design’; with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.

Benefits of IriusRisk Threat Modeling 

IriusRisk operates an Open Threat Model (OTM) Standard which is a tool agnostic way of describing a threat model in a simple to use and understand format. An accompanying API allows you to provide an OTM file and IriusRisk will automatically build a full threat model using the rules engine, which contains an extensive library of components and risk patterns. Application security is often equated with security testing and performed at the end of the development process. We believe in a different, more effective approach, earlier on in this software development life cycle. By using IriusRisk, you can:

  • Generate a threat model within minutes
  • Identify threats to your product AND countermeasures
  • Avoid delays to deployment and speed up time-to-production
  • Save time, cost, and development rework
  • Ditch the PDFs and instantly identify areas for compliance
  • Create a culture of collaboration between security and development teams

Threat Modeling Methodologies

  • STRIDE

    STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege, developed by Loren Kohnfelder and Praerit Garg in 1999 to identify potential vulnerabilities and threats to company products. Microsoft's STRIDE methodology aims to ensure that an application meets the security requirements of Confidentiality, Integrity, and Availability (CIA)...

    Read more about STRIDE

  • OCTAVE®

    OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology. This technique focuses on assessing organizational risks, rather than technological risks, for example if a company experiences a data breach, which could impact that business operationally. 

    Read more about OCTAVE

  • TRIKE

    TRIKE is an open source threat modeling process focused on the security auditing process from a risk management and defense perspective. This risk-based approach looks at implementation, threats and risk models, meaning it ensures the assigned level of risk for each asset is acceptable to its stakeholders.

    Read more about TRIKE

  • PASTA

    The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling methodology co-founded by VerSprite CEO Tony UcedaVélez and security leader Marco M. Morana. PASTA has the added benefit of scalability, it can scale up or scale down as required which is ideal for growing businesses, while most other threat modeling frameworks can also map into it.

    Read more about PASTA

  • Additional methods

    Okay, so what isn't considered threat modeling?

    If you are new to threat modeling, you may not be entirely sure what it is - or isn't! Here we demystify some terms that are often confused with threat modeling.

    Additional Methods

  • STRIDE
  • OCTAVE®
  • TRIKE
  • PASTA
  • Additional methods

STRIDE

STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege, developed by Loren Kohnfelder and Praerit Garg in 1999 to identify potential vulnerabilities and threats to company products. Microsoft's STRIDE methodology aims to ensure that an application meets the security requirements of Confidentiality, Integrity, and Availability (CIA)...

Read more about STRIDE

OCTAVE®

OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology. This technique focuses on assessing organizational risks, rather than technological risks, for example if a company experiences a data breach, which could impact that business operationally. 

Read more about OCTAVE

TRIKE

TRIKE is an open source threat modeling process focused on the security auditing process from a risk management and defense perspective. This risk-based approach looks at implementation, threats and risk models, meaning it ensures the assigned level of risk for each asset is acceptable to its stakeholders.

Read more about TRIKE

PASTA

The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling methodology co-founded by VerSprite CEO Tony UcedaVélez and security leader Marco M. Morana. PASTA has the added benefit of scalability, it can scale up or scale down as required which is ideal for growing businesses, while most other threat modeling frameworks can also map into it.

Read more about PASTA

Additional methods

Okay, so what isn't considered threat modeling?

If you are new to threat modeling, you may not be entirely sure what it is - or isn't! Here we demystify some terms that are often confused with threat modeling.

Additional Methods

Other articles you may be interested in

Which Methodology?

While organizations are conscious of the need to threat model, it can be daunting to know where to begin. In this blog, we will unpack these threat modeling methodologies.

Okay, so what isn't threat modeling?

If you are new to threat modeling, you may not be entirely sure what it is - or isn't! Here we demystify some terms that are often confused with threat modeling

 

Sources

Cybersecurity and Infrastructure Security Agency, Architecture Risk Analysis (2013) https://www.cisa.gov/uscert/bsi/articles/best-practices/architectural-risk-analysis/architectural-risk-analysis#:~:text=Architectural%20risk%20analysis%20examines%20the,not%20the%20absence%2C%20of%20flaws
EC-Council, Cyber Threat Modeling eccouncil.org/threat-modeling
EC-Council, DREAD Threat Modeling eccouncil.org/cybersecurity-exchange/threat-intelligence/dread-threat-modeling-intro/ 
European Union Agency for Cybersecurity, Octave enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_octave.html
First, Common Vulnerability Scoring System version 3.1: Specification Document https://www.first.org/cvss/specification-document
Microsoft, Chapter 3 - Threat Modeling (2010) https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff648644(v=pandp.10)
Microsoft, STRIDE Chart (2007) microsoft.com/security/blog/2007/09/11/stride-chart/
NIST, National Vulnerability Database nvd.nist.gov/vuln-metrics/cvss
OWASP, Advanced Threat Modeling owasp.org/www-pdf-archive/AdvancedThreatModeling.pdf  
OWASP, Top Ten (2021) owasp.org/www-project-top-ten/ 
Software Engineering Institute, Threat Modeling: 12 Available Methods (2018) https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/
Spiceworks, Top 10 Cyber Threat Intelligence Tools (2022) https://www.spiceworks.com/it-security/vulnerability-management/articles/best-cyber-threat-intelligence-tools/
Versprite, What is PASTA Threat Modeling? (2021) versprite.com/blog/what-is-pasta-threat-modeling/