陌讯skills聚合平台

threat-modeling

📁 dralgorhythm/claude-agentic-framework 📅 4 days ago
1
总安装量
1
周安装量
#47168
全站排名
安装命令
npx skills add https://github.com/dralgorhythm/claude-agentic-framework --skill threat-modeling

Agent 安装分布

amp 1
opencode 1
cursor 1
codex 1
github-copilot 1

Skill 文档

Threat Modeling

MCP Tools

Sequential Thinking (systematic analysis): Use for structured STRIDE analysis:

  1. Enumerate each threat category systematically
  2. Consider attack vectors step-by-step
  3. Evaluate mitigations with pros/cons
  4. Document reasoning for risk acceptance

Why Threat Model?

  • Identify threats early
  • Prioritize security efforts
  • Document security assumptions
  • Guide security testing

STRIDE Methodology

Use Sequential Thinking to work through each category:

S – Spoofing

Pretending to be someone else.

  • Example: Forged authentication tokens
  • Mitigation: Strong authentication, MFA

T – Tampering

Modifying data without authorization.

  • Example: Changing request parameters
  • Mitigation: Integrity checks, signatures
  • Trace with Grep: Find all input handlers

R – Repudiation

Denying an action occurred.

  • Example: User denies making transaction
  • Mitigation: Audit logging, non-repudiation

I – Information Disclosure

Exposing confidential data.

  • Example: API returns sensitive fields
  • Mitigation: Encryption, access controls
  • Trace with Grep: Find data return points

D – Denial of Service

Making system unavailable.

  • Example: Resource exhaustion attack
  • Mitigation: Rate limiting, auto-scaling

E – Elevation of Privilege

Gaining unauthorized access.

  • Example: User becomes admin
  • Mitigation: Least privilege, input validation
  • Trace with Grep: Find authorization checks

Threat Modeling Process

1. Decompose System

  • Use Grep and Glob to identify entry points
  • Draw data flow diagrams
  • Identify trust boundaries

2. Identify Threats

Use Sequential Thinking to systematically ask STRIDE questions for each component.

3. Trace Data Flow

Use Grep to trace:

  • User input → processing → storage
  • Authentication token flow
  • Sensitive data paths

4. Rate Threats

Use DREAD or CVSS scoring:

  • Damage potential
  • Reproducibility
  • Exploitability
  • Affected users
  • Discoverability

5. Mitigate

  • Avoid: Remove the feature
  • Transfer: Use third-party
  • Mitigate: Add controls
  • Accept: Document risk (use Sequential Thinking to justify)

Threat Model Document

## Asset: User Database

### Threats
| Threat | Type | Likelihood | Impact | Risk |
|--------|------|------------|--------|------|
| SQL Injection | Tampering | Medium | High | High |
| Data Breach | Info Disclosure | Low | Critical | High |

### Mitigations
1. Parameterized queries
2. Encryption at rest
3. Access logging
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。