Day 42 of 60
·
Process, code review & AI-assisted
Threat modeling
Pen-test findings are expensive because they arrive after design freeze. STRIDE in a 90-minute meeting catches a third of them while design is still soft.
ProblemSecurity flaws found in pen tests after launch, the most expensive time to find them.
How it works
Apply STRIDE / PASTA before designing each major feature. Diagram trust boundaries. List threats. Pick mitigations.
What it catches
Architecture-level security flaws, auth bypass, IDOR, missing trust boundaries, side-channel risks.
Tools
OWASP Threat Dragon · OSS Microsoft Threat Modeling Tool · OSS
Verdict by project size
Small
Skip
Medium
Opt
Large
Rec
Extra-large
Must
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 0h | 1h | $0 | , |
| Medium 10–100k LOC | 1d | 4h | $0 | , |
| Large 100k–1M LOC | 3d | 20h | $0 | , |
| Extra-large >1M LOC | 10d | 80h | $0 | , |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Plan Design
Per release · Runs before promotion to production.
Who owns it
Security / AppSec
SAST, DAST, threat modelling
Collaborates with: Developer, Security / AppSec
Reference implementations
-
OWASP Threat Dragon
Open-source threat-modeling tool with diagram-backed security design review.
-
OWASP Cornucopia
Threat-modeling card game for discovering security requirements.
-
Microsoft threat modeling guidance
Tooling and workflow for STRIDE-style threat modeling.
Quick check
Threat modeling is most valuable…
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.