--- id: devsec-threat-modeling title: Threat Modeling — STRIDE / Trust Boundary category: Coding status: draft source_trust_level: B verification_status: conceptual created_at: 2026-05-09 updated_at: 2026-05-09 tags: [devsecops, threat-modeling, security, vibe-coding] tech_stack: { language: "Process", applicable_to: ["Security"] } applied_in: [] aliases: [STRIDE, threat modeling, attack tree, DREAD, OCTAVE, data flow diagram] --- # Threat Modeling > "어떤 공격 가능한가" 사전 분석. **STRIDE 가 표준** — Spoofing / Tampering / Repudiation / Info Disclosure / DoS / Elevation. 새 feature design 시. ## 📖 핵심 개념 - Asset: 보호할 것 (사용자 데이터, money, reputation). - Threat: 위협 (공격 vector). - Trust boundary: trust level 변화 (untrusted → trusted). - Mitigation: 방어 control. ## 💻 코드 패턴 ### STRIDE ``` S - Spoofing: identity 위조 (다른 사람으로 로그인) T - Tampering: 데이터 변조 (request body 변경) R - Repudiation: 부인 (audit log 없어 누가 했는지 모름) I - Info Disclosure: 정보 누출 D - DoS: 서비스 마비 E - Elevation of privilege: 권한 상승 ``` ### 4-Step process ``` 1. Diagram: 시스템 / data flow 그리기 2. Identify threats: 각 component 에 STRIDE 적용 3. Mitigate: 방어 control 디자인 4. Validate: 검증 (test, audit, pen test) ``` ### Data Flow Diagram (DFD) ``` [User Browser] --HTTPS--> [API Gateway] --gRPC--> [Order Service] --SQL--> [PostgreSQL] | v [Stripe API] Trust boundaries: - User browser ↔ API Gateway: external - API Gateway ↔ Order Service: internal (mTLS) - Order Service ↔ Stripe: external API ``` ### 각 component 에 STRIDE ```markdown ## API Gateway - S (Spoofing): 다른 user 가 다른 user 로 로그인? → JWT signature + short expiry + refresh token rotation - T (Tampering): Request 변조? → HTTPS + JWT signed + body validation (zod) - R (Repudiation): 사용자가 "안 했다" 부인? → Audit log + signed actions - I (Info Disclosure): 토큰 leak? → HttpOnly cookie + Secure + SameSite - D (DoS): Brute force / flood? → Rate limit per IP / per user + WAF - E (Elevation): 일반 user 가 admin? → Role check at every protected endpoint + RLS in DB ## Order Service - T (Tampering): Order amount 변경? → Server-side calc, never trust client amount - I: Other user's orders? → user_id check + RLS - E: User → admin endpoint? → middleware check, separate admin namespace ``` ### 자주 빠뜨리는 ``` - Time-of-check vs time-of-use (race) - IDOR (예측 가능 ID + 검증 안 함) - SSRF (사용자 URL → internal network) - Mass assignment (extra fields 받음) - Server-side request smuggling - Cache poisoning - Subdomain takeover - Open redirect - ReDoS (regex 무한) - Prototype pollution ``` ### Attack tree ``` Goal: Steal user credentials ├── Phishing │ ├── Email │ └── Lookalike domain ├── XSS │ ├── Stored XSS │ └── Reflected XSS ├── Token theft │ ├── localStorage XSS │ └── Cookie theft (no HttpOnly) └── Brute force └── Weak password + no lockout ``` → 모든 leaf 에 mitigation. ### LLM agent 에서 새 위협 ``` - Prompt injection (사용자 input → system prompt 우회) - Data exfiltration (사용자가 LLM 에 다른 사용자 데이터 추출) - Tool abuse (사용자가 LLM 통해 임의 tool 호출) - Model poisoning (training data 오염) ``` ```ts // Mitigation - System prompt 명시 + boundary - Tool 권한 제한 (per user scope) - Output filter (PII, harmful content) - Audit log (모든 LLM call) - Rate limit ``` ### Tools ``` Microsoft Threat Modeling Tool: 무료, Windows OWASP Threat Dragon: OSS, web PyTM (코드로 model): python ATT&CK / D3FEND framework: knowledge base LINDDUN (privacy-focused): GDPR ``` ### 코드로 model (PyTM) ```python from pytm import TM, Server, Datastore, Dataflow, Boundary, Actor tm = TM('My API') internet = Boundary('Internet') internal = Boundary('Internal') user = Actor('User'); user.inBoundary = internet api = Server('API'); api.inBoundary = internal db = Datastore('PostgreSQL'); db.inBoundary = internal f1 = Dataflow(user, api, 'HTTPS request'); f1.protocol = 'HTTPS' f2 = Dataflow(api, db, 'SQL query'); f2.protocol = 'SQL' tm.process() ``` → Markdown report 자동. ### 정기 review ``` - 새 feature design 시 - 외부 통합 추가 시 - 매 6개월 - Incident 후 - 큰 architecture 변경 후 ``` ### Bug bounty ``` HackerOne / Bugcrowd 가 외부 검증. 정기 pen test + 일상 bug bounty 결합. ``` ### Mitigation 우선순위 ``` DREAD score: - Damage potential: 1-10 - Reproducibility: 1-10 - Exploitability: 1-10 - Affected users: 1-10 - Discoverability: 1-10 → 합 / 5 = severity. 큰 거 먼저. ``` 또는 CVSS 가 표준. ### Documentation 예 ```markdown # Order API — Threat model ## Assets - User data (email, address, payment) - Money (charges) - Audit trail ## Trust boundaries - Internet → API gateway (TLS, auth) - Service ↔ DB (mTLS, scoped credentials) ## Top threats 1. **IDOR on /orders/:id** (severity: high) - Mitigation: user_id check + RLS - Test: integration test 다른 사용자 order 2. **Race in payment** (severity: high) - Mitigation: Idempotency key 3. **Webhook signature bypass** (severity: critical) - Mitigation: HMAC + raw body + replay check ``` ### Continuous threat modeling ``` - PR template 에 "Security considerations?" 항목 - Threat model 가 git 안 (변경 git diff) - 사고 시 model update ``` ## 🤔 의사결정 기준 | 상황 | 추천 | |---|---| | 매 feature | 짧은 STRIDE | | 큰 service / 새 architecture | Full DFD + STRIDE | | Privacy / GDPR | LINDDUN | | Compliance | OWASP ASVS checklist | | Quick assessment | Attack tree | | Long-term | Threat Dragon / PyTM | ## ❌ 안티패턴 - **Threat model 1회 + 안 update**: stale. - **LIST only — mitigation 안 매핑**: 액션 없음. - **"안전하다 가정"**: 검증 없음. - **Compliance checklist 만**: 실제 위협 안 봄. - **개발자 외 — security 만 작성**: 도메인 모름. - **매번 처음부터**: template 재사용. - **공격자 마음 안 들어감**: defensive 만. ## 🤖 LLM 활용 힌트 - STRIDE per component + Attack tree per goal. - LLM = prompt injection / data exfil / tool abuse 별도. - 매 PR 가 작은 threat 검토. ## 🔗 관련 문서 - [[Security_OWASP_Top_10_Practical]] - [[DevSec_DAST_SAST]] - [[Security_OAuth_Flows]]