A descriptive study of assumptions in STRIDE security threat modeling

Security threat modeling involves the systematic elicitation of plausible threat scenarios, and leads to the identification and articulation of the security requirements in the early stages of software development. Although they are an important source of architectural knowledge, assumptions made in this context are in practice left implicit or at best, documented informally in an unstructured textual format. As guidelines and best practices are lacking, the nature, purpose and impact of assumptions made in this context is generally not well understood. We present a descriptive study of in total 640 textual assumptions made in 96 STRIDE threat models of the same system. The study mainly focuses on the diversity in how assumptions are used in practice, in terms of (i) the role or function of these assumptions in the threat modeling process, (ii) the degree of coupling between the assumptions and the system under analysis, and (iii) the extent to which these assumptions are exclusively specific to security. We observe large differences on all three investigated aspects: practitioners use the mechanism of assumption-making for diverse purposes, but predominantly to exclude certain threats from further analysis, i.e. to scope the analysis effort by steering it away from threat scenarios that are considered less relevant up front. Based on our findings, we argue against the exclusive use of Data Flow Diagrams as the main basis for threat analysis, and in favor of integrating more expressive attacker and trust models which can co-evolve with the threat model and the system.