10 Dos and Don'ts of Threat Modeling

By Apostolos Giannakidis | Product Security at Microsoft

Threat modeling is a structured approach to identifying and mitigating security risks early in the software design phase. This proactive practice seeks to understand the types of threats an application might face, assess their potential risk and impact, and implement controls to prevent them. As a key application security activity, threat modeling is integral to building applications that are secure by design.

As the lead of the threat modeling program at Microsoft Identity, I’ve gained first-hand experience with the practical challenges and significant benefits of threat modeling in large organizations. Early detection of security flaws during the design phase can deliver measurable business value, avoiding costly fixes later on and strengthening application resilience.

In this article, we’ll explore five essential dos and five don’ts of threat modeling, focusing on its practical application while being mindful of resource and time constraints.

#1. Do Start Early in the Development Lifecycle?

Every software system is, by necessity, a security system. For this reason, threat modeling should never be an afterthought. Make it a foundational activity in your software design phase. Beginning threat modeling early in the development lifecycle is essential for building secure software from the ground up. By initiating threat modeling at the beginning of the design phase, you can identify potential design flaws and security risks before they become deeply embedded in the system. This provides a clear roadmap for developers and security teams to follow, fostering a security-first mindset and avoiding the pitfalls of fixing vulnerabilities in production, which can be both costly and time-consuming.

#2. Don't Rely Solely on Automated Tools

Automation has become a powerful asset in threat modeling, enabling faster creation of data flow diagrams, generating compliance and "what if" questions, and even providing answers to some of these questions. AI-powered tools, such as large language models (LLMs) and Copilot assistants, have expanded the capabilities of automation, making it easier to identify common security risks, suggest mitigation strategies, and highlight areas of concern. However, threat modeling should not rely solely on automation.

Human insight remains essential in threat modeling. Subject matter experts bring critical thinking and a deep understanding of the technology, business logic, and potential attack vectors, allowing them to recognize context-specific threats that may be unique to a particular application — threats that automated tools might overlook. Human judgment is crucial for prioritizing threats, assessing the severity of risks, and determining realistic mitigation strategies tailored to specific environments and scenarios. Moreover, human review is necessary to filter out false positives or false negatives generated by automated tools, ensuring more accurate threat modeling outcome.

Effective threat modeling combines advanced automation with expert analysis in a collaborative process that benefits from diverse perspectives and expertise. When security and development teams work together, they can leverage automation for efficiency while relying on human expertise for contextual understanding, resulting in a comprehensive and balanced threat model.

Want to learn more? Read all 10 dos and don'ts of threat modeling on DZone.