陌讯skills聚合平台

threat-modeling

📁 nguyenhuuca/assessment 📅 10 days ago
8
总安装量
7
周安装量
#34688
全站排名
安装命令
npx skills add https://github.com/nguyenhuuca/assessment --skill threat-modeling

Agent 安装分布

mcpjam 7
claude-code 7
replit 7
junie 7
windsurf 7
zencoder 7

Skill 文档

Threat Modeling

MCP Tools

Sequential Thinking (systematic analysis): Use for structured STRIDE analysis:

  1. Enumerate each threat category systematically
  2. Consider attack vectors step-by-step
  3. Evaluate mitigations with pros/cons
  4. Document reasoning for risk acceptance

Why Threat Model?

  • Identify threats early
  • Prioritize security efforts
  • Document security assumptions
  • Guide security testing

STRIDE Methodology

Use Sequential Thinking to work through each category:

S – Spoofing

Pretending to be someone else.

  • Example: Forged authentication tokens
  • Mitigation: Strong authentication, MFA

T – Tampering

Modifying data without authorization.

  • Example: Changing request parameters
  • Mitigation: Integrity checks, signatures
  • Trace with Grep: Find all input handlers

R – Repudiation

Denying an action occurred.

  • Example: User denies making transaction
  • Mitigation: Audit logging, non-repudiation

I – Information Disclosure

Exposing confidential data.

  • Example: API returns sensitive fields
  • Mitigation: Encryption, access controls
  • Trace with Grep: Find data return points

D – Denial of Service

Making system unavailable.

  • Example: Resource exhaustion attack
  • Mitigation: Rate limiting, auto-scaling

E – Elevation of Privilege

Gaining unauthorized access.

  • Example: User becomes admin
  • Mitigation: Least privilege, input validation
  • Trace with Grep: Find authorization checks

Threat Modeling Process

1. Decompose System

  • Use Grep and Glob to identify entry points
  • Draw data flow diagrams
  • Identify trust boundaries

2. Identify Threats

Use Sequential Thinking to systematically ask STRIDE questions for each component.

3. Trace Data Flow

Use Grep to trace:

  • User input → processing → storage
  • Authentication token flow
  • Sensitive data paths

4. Rate Threats

Use DREAD or CVSS scoring:

  • Damage potential
  • Reproducibility
  • Exploitability
  • Affected users
  • Discoverability

5. Mitigate

  • Avoid: Remove the feature
  • Transfer: Use third-party
  • Mitigate: Add controls
  • Accept: Document risk (use Sequential Thinking to justify)

Threat Model Document

## Asset: User Database

### Threats
| Threat | Type | Likelihood | Impact | Risk |
|--------|------|------------|--------|------|
| SQL Injection | Tampering | Medium | High | High |
| Data Breach | Info Disclosure | Low | Critical | High |

### Mitigations
1. Parameterized queries
2. Encryption at rest
3. Access logging
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。