Threat Modeling Guide: STRIDE, PASTA, and Practical Implementation

STRIDE is a threat classification framework originally developed at Microsoft that provides a structured approach to identifying threats by category. Each letter represents a threat class:

Spoofing: Impersonating users, services, or systems (e.g., an attacker claiming to be an authenticated user). Defense: authentication, signatures. Tampering: Unauthorized modification of data (e.g., altering data in transit or in storage). Defense: integrity controls, hashing, access controls. Repudiation: Denying having performed an action (e.g., a user denying a fraudulent transaction). Defense: audit logging, non-repudiation mechanisms. Information Disclosure: Exposing data to unauthorized parties (e.g., verbose error messages revealing stack traces). Defense: encryption, access controls, data classification. Denial of Service: Making a system unavailable (e.g., overwhelming a rate-limited API endpoint). Defense: rate limiting, resource quotas, redundancy. Elevation of Privilege: Gaining higher permissions than intended (e.g., a regular user accessing admin functions). Defense: least privilege, authorization checks.

Apply STRIDE by drawing a data flow diagram of your system and systematically asking each STRIDE category question at every trust boundary, data store, process, and external entity. The value is in the systematic coverage — STRIDE ensures you do not forget to ask about repudiation or denial of service, which teams often skip in informal security reviews.

A Data Flow Diagram (DFD) is the foundation of threat modeling. It maps how data moves through your system, which components process it, where it is stored, and — most importantly — where trust boundaries exist. Trust boundaries are the lines in a DFD where data crosses from a higher-trust context to a lower-trust context (or vice versa), and they are where most threats manifest.

DFD components: External entities (users, third-party services, data sources that are outside your trust boundary), processes (code that transforms or routes data), data stores (databases, caches, files, message queues), and data flows (the movement of data between components). Trust boundaries are drawn as dashed lines separating zones of different trust levels.

Practical DFD guidance: Start at the right level of abstraction. A Level 0 DFD shows your entire system as a single process interacting with external entities — useful for scoping. Level 1 DFDs break the system into major components and show the flows between them — the right level for most threat modeling exercises. Level 2 DFDs show individual functions within components — appropriate for deep dives on specific high-risk areas. Do not over-engineer the diagram; a whiteboard sketch that captures trust boundaries is more useful than a perfect Visio document delivered after the sprint.

PASTA is a risk-centric, seven-stage threat modeling methodology designed for enterprise-scale application security programs. Where STRIDE focuses on threat classification, PASTA focuses on business risk and attacker motivation — it asks not just 'what threats exist' but 'which threats are most likely to be exercised by real attackers given the value of this asset.'

PASTA's seven stages: (1) Define business objectives — what are the business and compliance requirements for this application? (2) Define technical scope — application architecture, data flows, dependencies. (3) Application decomposition — similar to DFD construction in STRIDE. (4) Threat analysis — what threat actors would target this application and what are their capabilities? (5) Vulnerability and weakness analysis — what design and implementation weaknesses exist? (6) Attack modeling — map specific attack patterns to identified weaknesses using attack trees or CAPEC. (7) Risk and impact analysis — score residual risk against business context and prioritize remediation.

PASTA is more thorough than STRIDE but requires more time and security expertise to execute. It is most appropriate for high-risk applications (payment processing, health data, authentication infrastructure) where the additional rigor is justified. For most sprint-level feature reviews, a STRIDE-based approach with DFDs is more practical.

The most common reason threat modeling fails in organizations is that it is treated as a heavyweight gate rather than a lightweight, continuous practice. The goal is not a perfect threat model — it is threat modeling as a habit that improves the security posture of every feature shipped.

Lightweight integration approach: (1) Trigger threat modeling on new features, architecture changes, and security-sensitive modifications (authentication, authorization, data storage, external integrations) — not every ticket. (2) Timebox the exercise to two hours maximum for a sprint-level threat model. (3) Use a structured but minimal template: a sketch DFD, a STRIDE walkthrough at each trust boundary, and an output list of threats with assigned owners and remediation status. (4) Track findings in your existing issue tracker alongside functional requirements — not in a separate security database that no one looks at.

Tooling: OWASP Threat Dragon is a free, open-source threat modeling tool that generates DFDs and automatically maps STRIDE threats to data flow elements. Microsoft Threat Modeling Tool is free and includes built-in templates for common Azure architectures. IriusRisk is the most capable commercial option for organizations that need to automate threat model generation from architecture descriptions at scale.

Threat modeling is the highest-leverage application security activity available to development teams — it finds design-level flaws before they become production vulnerabilities, at a fraction of the cost of post-deployment remediation. STRIDE with DFDs is the practical starting point for most teams. The goal is consistency at the sprint level, not comprehensiveness at the release level. Any team that does threat modeling on every significant feature ships more secure software than a team that does a comprehensive threat model once a year.