~/blog/cybersecurity/threat-modeling-101.mdx
Threat Modeling in Four Questions
#appsec#process
You don't need a heavyweight methodology to think clearly about security. Shostack's four questions get you 80% of the value:
- What are we building? Draw the data flow.
- What can go wrong? Walk each trust boundary.
- What are we going to do about it? Pick mitigations.
- Did we do a good job? Review and iterate.
Trust boundaries are where bugs live
Any place data crosses from a less-trusted zone to a more-trusted one is a boundary worth scrutinizing — a browser to your API, your API to the database, one service to another.
[ browser ] --(untrusted input)--> [ api ] --(query)--> [ db ]
^ boundary ^ boundarySpend your attention at the arrows.
Make it a habit, not an event
The best threat model is the cheap one you actually run. Five minutes on a whiteboard before building beats a 40-page document nobody reads.