Threat, Vulnerability & Data Flow Analysis

Structured threat and vulnerability analysis translates abstract risk into concrete design decisions. This page covers the primary techniques: STRIDE, data flow diagrams (DFDs), attack trees, and vulnerability analysis.

Data Flow Diagrams (DFDs)

DFDs map how data moves through a system and across trust boundaries. They are the starting point for threat identification.

DFD elements

Symbol	Meaning
Rectangle	External entity (user, third-party system)
Circle / oval	Process (transforms data)
Open rectangle	Data store
Arrow	Data flow
Dashed line	Trust boundary

Trust boundaries

A trust boundary is any point where data crosses between different privilege or trust levels: user → web tier, web tier → application tier, application tier → database, internal network → DMZ.

Every trust boundary is a candidate for a control (authentication, authorisation, encryption, input validation).

STRIDE threat model

STRIDE, developed at Microsoft, categorises threats by the property of security they violate:

Threat	Violated property	Example
Spoofing	Authentication	Impersonating a legitimate user or service
Tampering	Integrity	Modifying data in transit or at rest
Repudiation	Non-repudiation	Denying having performed an action
Information Disclosure	Confidentiality	Exposing data to unauthorised parties
Denial of Service	Availability	Overwhelming a service to prevent legitimate access
Elevation of Privilege	Authorisation	Gaining access beyond what is permitted

Applying STRIDE to DFDs

For each element in the DFD (process, data store, data flow, external entity), systematically apply each STRIDE category and identify threats. Document threats and link them to mitigating controls.

Attack trees

Attack trees represent an attacker's goal at the root and decompose it into sub-goals and techniques:

• AND nodes — all children must succeed
• OR nodes — any child is sufficient

Attack trees quantify attack paths by assigning cost, likelihood, or detectability to leaf nodes and propagating values up the tree. They reveal which attack paths are cheapest for an adversary, directing defensive investment.

PASTA (Process for Attack Simulation and Threat Analysis)

PASTA is a risk-centric, seven-stage threat modelling methodology:

1. Define objectives
2. Define technical scope
3. Application decomposition
4. Threat analysis
5. Vulnerability and weakness analysis
6. Attack modelling
7. Risk and impact analysis

PASTA integrates business impact directly into the threat model, making it suitable for risk-based control prioritisation.

Vulnerability analysis

Vulnerability sources

• CVE / NVD — Common Vulnerabilities and Exposures database
• Vendor advisories — vendor-specific security bulletins
• Penetration testing — active assessment findings
• Configuration auditing — CIS Benchmark compliance scanning
• Code analysis — SAST/DAST/SCA findings

Scoring — CVSS

CVSS (Common Vulnerability Scoring System) v3.1 / v4.0 scores vulnerabilities across:

• Base: Attack vector, complexity, privileges required, user interaction, scope, impact
• Temporal: Exploit code maturity, remediation level, report confidence
• Environmental: Modified base metrics, security requirements

Use CVSS as one signal, not the sole prioritisation mechanism — a CVSS 9.8 in an unexploitable configuration is lower risk than a CVSS 5.0 actively exploited in the wild.

Vulnerability prioritisation

Effective prioritisation combines:

• CVSS base score
• Exploitation status (CISA KEV catalogue, Exploit-DB)
• Asset criticality
• Compensating controls in place
• Exposure (internet-facing vs. internal)

EPSS (Exploit Prediction Scoring System) provides a probability-based exploitation likelihood score to complement CVSS.

Further reading

• Microsoft Threat Modelling Tool documentation
• OWASP Threat Dragon
• "Threat Modelling: Designing for Security" — Adam Shostack
• NIST SP 800-30 — Risk Assessment Guide
• CISA Known Exploited Vulnerabilities Catalogue