Threat modelling is about thinking like an attacker to find vulnerabilities in your system. It helps you understand how a system works, how data moves through it, and where things might go wrong.
I’ve created a task to help you practice using STRIDE to spot potential threats in a model system called “We Are Angry.” STRIDE stands for
- Spoofing,
- Tampering,
- Repudiation,
- Information disclosure,
- Denial of service, and
- Elevation of privilege.
It is a simple way to guide your thinking and explore different types of risks.
When I run threat modeling sessions, I often use my card game called Threat Agents to make it more engaging. Each card represents a type of attack or attacker, which helps spark ideas about how systems could be at risk. You can try it too if you want to explore threat modelling in a fun and structured way.
Your task:
Download and review the We Are Angry data flow diagram.
- Look at how data moves through the system. You can focus on the whole system or just one user flow.
- Identify three possible threats or attacks you could test for.
- Try to use three different STRIDE categories if you can.
- For each threat, explain what it is, where it targets in the diagram, and why it matters.
Post your findings as a reply to this thread. Once you have shared, read what others have posted. You might get new ideas for how you could find threats in your own systems.
Handy resources:
If you want to learn more about threat modeling and other practical ways to build security into your testing, check out my course Everyday Security Testing: A Practical Guide to Getting Started.
