threat-modeling
1
总安装量
1
周安装量
#45075
全站排名
安装命令
npx skills add https://github.com/bagelhole/devops-security-agent-skills --skill threat-modeling
Agent 安装分布
opencode
1
codex
1
claude-code
1
Skill 文档
Threat Modeling
Identify and mitigate security threats during system design.
STRIDE Methodology
| Threat | Description | Mitigation |
|---|---|---|
| Spoofing | Pretending to be someone else | Authentication |
| Tampering | Modifying data | Integrity controls |
| Repudiation | Denying actions | Audit logging |
| Information Disclosure | Data exposure | Encryption |
| Denial of Service | Making service unavailable | Rate limiting |
| Elevation of Privilege | Gaining higher access | Authorization |
Process
steps:
1_scope:
- Define system boundaries
- Identify assets
- Document data flows
2_diagram:
- Create data flow diagrams
- Identify trust boundaries
- Mark entry points
3_identify:
- Apply STRIDE to each component
- List potential threats
- Document attack vectors
4_assess:
- Rate likelihood and impact
- Prioritize by risk score
5_mitigate:
- Design countermeasures
- Accept/transfer risks
- Document decisions
Data Flow Diagram
[External User] --> |HTTPS| --> [Load Balancer]
|
v
[Web Server]
|
[Trust Boundary]
|
v
[App Server] --> [Database]
Threat Cards
threat:
id: T001
name: SQL Injection
category: Tampering
component: Database queries
likelihood: High
impact: Critical
mitigations:
- Parameterized queries
- Input validation
- WAF rules
status: Mitigated
Best Practices
- Integrate into SDLC
- Review on architecture changes
- Include development team
- Document all decisions
- Regular reassessment
Related Skills
- sast-scanning – Code analysis
- penetration-testing – Validation