Securitymedium

What is threat modeling, and how do you run a lightweight threat model for a feature?

Answer

Threat modeling is a structured way to identify assets, threats, and mitigations by mapping actors, entry points, and trust boundaries. A lightweight model uses a quick data-flow diagram, lists likely threats (e.g., STRIDE), and prioritizes mitigations by risk.

Advanced answer

Deep dive

A lightweight model should be fast enough for every feature and still expose real risks:

Define assets: data, money, credentials, availability, reputation.
Identify actors and entry points (UI, API, webhooks, integrations).
Draw data flows and trust boundaries (browser -> API -> DB, third-party callbacks).
Enumerate threats (STRIDE) and rank by impact x likelihood.
Pick mitigations and assign owners; track as tasks and revisit.

Examples

A tiny example (payment webhook):

Browser -> API -> DB
               ^
             Webhook (3rd-party)

Threats: spoofed webhook, replay, tampering
Mitigations: HMAC signature, idempotency key, allowlisted IPs

Common pitfalls

Treating it as a one-time document instead of a living artifact.
Ignoring trust boundaries and third-party integrations.
Not ranking threats, so everything becomes "high".

Interview follow-ups

How would you prioritize mitigations with a tight deadline?
What changes when the feature becomes public?