返回 Skill 列表
extension
分类: 开发与工程无需 API Key

security-threat-modeling

使用资产、信任边界、攻击者能力和滥用路径进行威胁建模的安全工作流程。在系统或主要功能需要在实施或重大发布前进行明确的安全设计验证时使用;不用于主动事件遏制。

person作者: jakexiaohubgithub

Security Threat Modeling

Overview

Use this skill to make security risks explicit early, prioritize mitigations, and prevent costly redesign after implementation.

Scope Boundaries

  • New architecture, integration, or data flow introduces fresh trust boundaries.
  • Significant feature changes alter attacker opportunity or impact.
  • Security requirements need prioritization before implementation commitments.

Templates And Assets

  • Threat model template:
    • assets/threat-model-template.md

Inputs To Gather

  • System context, components, and data flow diagrams.
  • Asset classification and business impact.
  • Assumed attacker capabilities and exposure surface.
  • Existing controls and operational detection capabilities.

Deliverables

  • Threat model with assets, trust boundaries, entry points, and abuse paths.
  • Prioritized mitigation plan with owner, expected risk reduction, and timeline.
  • Validation plan mapping top threats to test and monitoring evidence.

Workflow

  1. Define model scope and highest-value assets in assets/threat-model-template.md.
  2. Identify trust boundaries and all ingress/egress paths.
  3. Enumerate attacker goals and feasible attack paths for each boundary.
  4. Assess risk using impact and exploitability, then rank mitigation candidates.
  5. Select controls across prevention, detection, and response, not prevention only.
  6. Record residual risks that are accepted, including owner and review date.
  7. Convert priority threats into concrete engineering and verification tasks.

Quality Standard

  • Top abuse paths are evidence-backed and mapped to concrete controls.
  • Mitigation prioritization is explicit and reproducible.
  • Residual risks are intentionally accepted, not implied.
  • Model output is actionable by engineering, security, and operations.

Failure Conditions

  • Stop when assets and trust boundaries are undefined.
  • Stop when high-impact threats are listed without mitigation owner.
  • Escalate when risk acceptance lacks accountable approval.