-
Notifications
You must be signed in to change notification settings - Fork 0
Managing Threats
Eric Fitzgerald edited this page Jan 26, 2026
·
2 revisions
Learn how to identify, document, and manage threats in TMI.
Threat management is the core of threat modeling. TMI helps you systematically identify, assess, and track threats to your system.
Microsoft's STRIDE framework categorizes threats:
- Spoofing: Impersonating users or systems
- Tampering: Unauthorized modification of data
- Repudiation: Denying actions without proof
- Information Disclosure: Exposing sensitive information
- Denial of Service: Making systems unavailable
- Elevation of Privilege: Gaining unauthorized access
Focus on:
- Confidentiality: Unauthorized access to data
- Integrity: Unauthorized modification
- Availability: System or data unavailability
Create your own threat categories based on:
- Industry-specific threats
- Organizational risk framework
- Compliance requirements
- Navigate to threats section
- Click "New Threat" or "Add Threat"
- Fill in threat details
- Link to affected components
- Save
- Title: Short, descriptive name
- Description: Detailed explanation
- Category: Framework category (STRIDE, CIA, etc.)
- Impact: Consequences if exploited (High/Medium/Low)
- Likelihood: Probability of occurrence (High/Medium/Low)
- Risk Level: Overall risk (High/Medium/Low or calculated)
- Status: New, Investigating, Mitigated, Accepted, Not Applicable
- Affected Components: Link to diagram elements
- Mitigation: How to address the threat
- Notes: Additional context
- Metadata: Custom properties
For each component in your diagram:
- What threats apply to this component type?
- What data does it handle?
- What trust boundaries does it cross?
For each data flow:
- Can data be intercepted?
- Can data be modified?
- Is data properly validated?
- Is data properly encrypted?
Apply STRIDE to each diagram element:
Process threats:
- Spoofing process identity
- Tampering with process
- Repudiation of process actions
- Information disclosure from process
- Denial of service to process
- Elevation of privilege in process
Data Store threats:
- Tampering with stored data
- Information disclosure from store
- Denial of service to store
Data Flow threats:
- Tampering with data in transit
- Information disclosure of data
- Denial of service to flow
External Entity threats:
- Spoofing external entity
- Repudiation of external entity actions
At each trust boundary:
- What authentication occurs?
- What authorization is required?
- What data validation happens?
- What logging exists?
High Impact:
- Complete system compromise
- Loss of critical data
- Regulatory violations
- Significant financial loss
- Life/safety impact
Medium Impact:
- Partial system compromise
- Loss of non-critical data
- Moderate financial loss
- Reputation damage
Low Impact:
- Minor inconvenience
- Minimal data exposure
- Low financial loss
High Likelihood:
- Easy to exploit
- Common attack vector
- Public exploits available
- High attacker motivation
Medium Likelihood:
- Moderate skill required
- Some protective measures exist
- Moderate attacker motivation
Low Likelihood:
- Difficult to exploit
- Strong protections in place
- Low attacker motivation
TMI uses the following severity values for threats:
| Severity | Description |
|---|---|
| Critical | Exploitable vulnerability enables complete system compromise, data breach, or safety impact; requires immediate action. |
| High | Significant impact or high likelihood; enables major unauthorized access, privilege escalation, or service disruption. |
| Medium | Moderate impact or likelihood; limited data exposure, partial functionality impairment, or requires chained exploits. |
| Low | Minimal impact or low likelihood; negligible business impact, requires specific conditions or user interaction. |
| Informational | No direct exploitability; recommendation, best practice deviation, or configuration improvement. |
| Unknown | Threat severity has not yet been assessed. |
TMI uses the following priority values for threats:
| Priority | Description |
|---|---|
| Immediate (P0) | Must be addressed urgently; active exploitation, regulatory violation, or critical business exposure. |
| High (P1) | Requires prompt resolution; high-risk exposure or upcoming release deadline. |
| Medium (P2) | Address within standard development cycles; moderate exposure. |
| Low (P3) | Include in backlog for future cycles; no immediate exposure. |
| Deferred (P4) | Postponed with documented business approval; tracked but not scheduled. |
Common approaches:
Qualitative:
- High Impact + High Likelihood = High Risk
- High Impact + Low Likelihood = Medium Risk
- Low Impact + Any Likelihood = Low Risk
Quantitative:
- Risk Score = Impact × Likelihood
- Use numeric scales (1-5, 1-10)
Eliminate: Remove the vulnerability entirely
- Redesign the system
- Remove risky features
- Change architecture
Reduce: Lower the risk level
- Add security controls
- Implement defenses
- Add monitoring
Transfer: Shift the risk
- Use third-party services
- Insurance
- Contractual agreements
Accept: Consciously accept the risk
- Document decision
- Approve at appropriate level
- Monitor over time
For each threat, document:
- Control Description: What will be implemented
- Control Type: Preventive, Detective, Corrective
- Implementation Status: Planned, In Progress, Complete
- Owner: Who is responsible
- Timeline: When will it be done
- Verification: How to verify it works
Threat: SQL Injection in user search
Mitigations:
- Use parameterized queries (Eliminate)
- Input validation and sanitization (Reduce)
- Web application firewall (Reduce)
- Database activity monitoring (Detect)
- Least privilege database accounts (Reduce)
- Visual representation on diagrams
- Track which components are affected
- Prioritize component security
- Impact analysis for changes
- Edit threat
- Find "Affected Components" or "Linked Components"
- Select diagram(s) and component(s)
- Save
- See threats when viewing diagrams
- Filter threats by component
- Impact analysis when modifying components
TMI uses the following status values for individual threats:
| Status | Description |
|---|---|
| Open | The finding has been identified and documented but no action has been initiated. |
| Confirmed | The threat has been validated as legitimate through analysis or evidence. |
| Mitigation Planned | A remediation or mitigation strategy has been defined and assigned. |
| Mitigation In Progress | Implementation of controls, code changes, or countermeasures is underway. |
| Verification Pending | Mitigation is complete; security team must test or review effectiveness. |
| Resolved | The threat is fully mitigated and verified; residual risk is acceptable. |
| Accepted | The threat is acknowledged but intentionally not mitigated (e.g., due to business justification); requires formal risk acceptance. |
| False Positive | Investigation determined the finding is not a valid threat; no further action required. |
| Deferred | Action is postponed with approval (e.g., for future sprints); includes rationale and due date. |
| Closed | The finding is archived after resolution, acceptance, or invalidation, with audit trail. |
- Update status as work progresses
- Link to issue tracker tickets
- Document decisions in notes
- Review regularly
- Select threat
- Click "Create Issue" or "Link Issue"
- Choose issue tracker
- Populate issue details
- Track in both systems
- Issue status can sync to TMI
- Track remediation progress
- Close threats when issues resolve
See Issue Tracker Integration for details.
Filter by:
- Category: Show only specific STRIDE/CIA categories
- Risk Level: High, Medium, Low
- Status: New, Mitigated, etc.
- Component: Threats affecting specific components
- Metadata: Custom filters
Sort by:
- Risk level (High to Low)
- Status
- Creation date
- Last modified
- Title (alphabetically)
View summary:
- Total threats
- Threats by category
- Threats by risk level
- Threats by status
- Coverage metrics
- Share threat model with team
- Review threats together
- Use real-time editing
- Discuss mitigations
- Assign threats to team members
- Track ownership
- Review responsibility
- Comment on threats
- @mention team members
- Document decisions
- Track conversations
- Clear, descriptive threat titles
- Detailed descriptions
- Concrete examples
- Specific mitigations
- Prioritize realistic threats
- Don't get lost in theoretical threats
- Focus on what can be mitigated
- Why risks were accepted
- Why mitigations were chosen
- Assumptions made
- Tradeoffs considered
- Review as system changes
- Re-assess as threat landscape evolves
- Update mitigations
- Close resolved threats
- Link to diagrams
- Link to issue tracker
- Link to documentation
- Link to security controls
Title: Brute Force Attack on Login
Category: Elevation of Privilege (STRIDE)
Description: Attacker attempts to guess user passwords through automated login attempts.
Impact: High - Account compromise, data breach
Likelihood: High - Common attack, easily automated
Risk Level: High
Mitigation:
- Rate limiting (5 attempts per 15 minutes)
- Account lockout after 10 failed attempts
- CAPTCHA after 3 failed attempts
- Multi-factor authentication
- Password complexity requirements
- Monitor for brute force patterns
Status: Mitigated
Title: Sensitive Data in Application Logs
Category: Information Disclosure (STRIDE)
Description: Application logs may contain PII or credentials if exceptions are logged verbosely.
Impact: Medium - Data breach, compliance violation
Likelihood: Medium - Common developer mistake
Risk Level: Medium
Mitigation:
- Log sanitization framework
- Code review for logging statements
- Log access controls
- Automated log scanning
- Developer training
Status: In Progress
- Learn about Collaborative Threat Modeling
- Explore Issue Tracker Integration
- Review Security Best Practices
- Using TMI for Threat Modeling
- Accessing TMI
- Creating Your First Threat Model
- Understanding the User Interface
- Working with Data Flow Diagrams
- Managing Threats
- Collaborative Threat Modeling
- Using Notes and Documentation
- Metadata and Extensions
- Planning Your Deployment
- Deploying TMI Server
- OCI Container Deployment
- Terraform Deployment
- Certificate Automation
- Deploying TMI Web Application
- Setting Up Authentication
- Database Setup
- Component Integration
- Post-Deployment
- Monitoring and Health
- Cloud Logging
- Database Operations
- Security Operations
- Performance and Scaling
- Maintenance Tasks