{"id":1748,"date":"2019-08-21T13:46:00","date_gmt":"2019-08-21T13:46:00","guid":{"rendered":"https:\/\/blog.kindgeek.com\/?p=1748"},"modified":"2025-01-08T12:50:36","modified_gmt":"2025-01-08T12:50:36","slug":"threat-modeling-for-quality-assurance","status":"publish","type":"post","link":"https:\/\/www.kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance","title":{"rendered":"Threat Modeling for Quality Assurance"},"content":{"rendered":"

Recently updated on January 8, 2025<\/p><\/div>\n

What is Threat Modeling in Software Development?<\/a><\/h6>\n\n\n\n
How to Perform Threat Modeling?<\/a><\/h6>\n\n\n\n
When to Threat Model During Agile?<\/a><\/h6>\n\n\n\n

In the article \u201cQA is the New Black<\/a>,\u201d we argued that the \u201cnew-age\u201d Quality Assurance professionals should ensure the test-driven development throughout all stages of a product\u2019s life-cycle, starting from the conceptual level. Threat modeling is a powerful methodology that complements the test-driven development and can elevate the security and quality of a product to a whole new level.<\/p>\n\n\n\n<\/a>\n\n\n\n

What is Threat Modeling in Software Development? <\/h2>\n\n\n\n

When you are walking down the dark deserted alley and your vivid imagination starts writing unpleasant scenarios of what could happen to you and how you can avoid them \u2014 you are threat modeling. <\/p>\n\n\n\n

You are also threat modeling when thinking about how to mitigate the negative consequences of running late to that one important meeting, which of course had to be the first thing in the morning. <\/p>\n\n\n\n

If you\u2019ve ever tried to think like a criminal out of curiosity<\/a>, boredom, or intent (hopefully not) to determine weak spots in a system that can be exploited \u2014 you\u2019ve threat modeled as well. <\/p>\n\n\n\n

In other words, threat modeling is an activity for the identification and management of risks. <\/h6>\n\n\n\n
\"Quality<\/figure>\n\n\n\n

Software developers, Testers, DevOps, Business Analysts, and other IT professionals threat model on a constant basis to determine how the system they are building can be screwed up so they can implement additional protection. Threat modeling is similar to playing abstract Jenga with software architecture: you pull out one block at a time to see whether the structure holds. <\/p>\n\n\n\n

However, the process of threat modeling is not always a conscious and planned team effort but rather a spontaneous individual initiative of an employee.<\/p>\n\n\n\n

Imagine a hypothetical situation:<\/h6>\n\n\n\n

Mary is a developer who currently works on a big FinTech<\/a> project and is responsible for creating a key-encryption mechanism. She decides to use a default random number generator for encryption. After the work is done, Mary goes to have some coffee. While enjoying the hot beverage, she thinks about her algorithm and whether it is reliable enough. Mary starts thinking about the ways of abusing the encryption mechanism and remembers about random number generators attacks that can affect encryptions that use random generators that are not random enough so can be exploited. Therefore, she goes back and changes the default random generator for a more quality one that uses several sources of randomness with big levels of entropy. The resulting encryption mechanism is significantly more durable and their FinTech project will never be a part of the Random Number Generator Attack<\/a> list. <\/p>\n\n\n\n

Imagine how many more vulnerabilities, it would have been possible to identify and get rid of if a process of threat modeling was a directed and well-structured effort during the early stages of a product life-cycle. It also would have saved Mary time that she spent rewriting her code. <\/p>\n\n\n\n

Thus, threat modeling cannot manifest its full potential if it is not a must-have approach during the early stages of software development. Such a powerful bug-preventing and vulnerability-identifying mechanism can be a powerful Quality Assurance tool in the software development industry.  <\/p>\n\n\n\n<\/a>\n\n\n\n

How to Perform Threat Modeling?<\/h2>\n\n\n\n

The first thing to establish – threat modeling should be a team effort; it requires the cooperation of QAs, Developers, DevOps, Business Analysts, and everyone else in between. Otherwise, the results will not be complete. <\/p>\n\n\n\n

Even though threat modeling is all about one\u2019s creativity, experience, and criminal ingenuity, it still has a universal structure to it that helps to bring forth its full potential. In his book, \u201cThreat Modeling Designing for Security<\/a>,\u201d Adam Shostack states that you start threat modeling by focusing on four questions: <\/p>\n\n\n\n

1) What are you building? You can start answering this question by modeling the way data flows in your application. <\/h6>\n\n\n\n
2) What can go wrong? You can divide the answer to this question into three parts:<\/h6>\n\n\n\n

   a. What valuable assets of the application should be secured?<\/p>\n\n\n\n

   b. What an attacker can do to the assets?<\/p>\n\n\n\n

   c. What system vulnerabilities can the attacker use? <\/p>\n\n\n\n

3) What should you do about those things that can go wrong?<\/h6>\n\n\n\n
4) Did you do a decent job of analysis? <\/h6>\n\n\n\n

The achieved results will shed light on the previously hidden and not so obvious issues with the product and as a result, will significantly improve testing practices and make the code more fireproof. <\/p>\n\n\n\n

There are different approaches and even a special game developed for Threat Modeling that can be found in the book mentioned above. <\/p>\n\n\n\n

As you can see, threat modeling is a great opportunity for IT professionals to go full-scale Moriarty and exercise their creativity.<\/p>\n\n\n\n<\/a>\n\n\n\n

When to Threat Model During Agile?<\/h2>\n\n\n\n

Threat modeling does not have a fixed place within the agile<\/a> software development approach. Use threat modeling when and where you find it the most appropriate. <\/p>\n\n\n\n

We have two tiny recommendations though; conduct threat modeling <\/p>\n\n\n\n

1) As soon as the architecture is ready. <\/h6>\n\n\n\n
2) Right after a change to the architecture was made<\/h6>\n\n\n\n

Also, you can treat threat modeling as a part of the test-driven development and develop test cases accordingly to the results. The only limit is your experience and imagination.<\/p>\n\n\n\n

Remember, threat modeling is about elevating the quality of software products to a new level by determining the system\u2019s weaknesses and vulnerabilities in the earliest stages of product development. Threat modeling is not mandatory for software development. However, it is an amazing tool for companies who want to create products of the highest quality possible.<\/p>\n\n\n\n

You can also read our article \u201cDeveloping Secure FinTech Application<\/a>\u201d for more cyber-security tips.  <\/p>\n","protected":false},"excerpt":{"rendered":"

In the article \u201cQA is the New Black,\u201d we argued that the \u201cnew-age\u201d Quality Assurance professionals should ensure the test-driven development throughout all stages of a product\u2019s life-cycle, starting from the conceptual level. Threat modeling is a powerful methodology that complements the test-driven development and can elevate the security and quality of a product to a whole new level.<\/p>\n","protected":false},"author":5,"featured_media":1753,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[298],"tags":[],"class_list":{"0":"post-1748","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-software-development"},"yoast_head":"\nThreat Modeling for Quality Assurance | Kindgeek<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Threat Modeling for Quality Assurance | Kindgeek\" \/>\n<meta property=\"og:description\" content=\"In the article \u201cQA is the New Black,\u201d we argued that the \u201cnew-age\u201d Quality Assurance professionals should ensure the test-driven development throughout all stages of a product\u2019s life-cycle, starting from the conceptual level. Threat modeling is a powerful methodology that complements the test-driven development and can elevate the security and quality of a product to a whole new level.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance\" \/>\n<meta property=\"og:site_name\" content=\"Kindgeek\" \/>\n<meta property=\"article:published_time\" content=\"2019-08-21T13:46:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-08T12:50:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/kindgeek.com\/blog\/wp-content\/uploads\/2021\/01\/rtJ14FBFMMOg32Yl2iYV.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1800\" \/>\n\t<meta property=\"og:image:height\" content=\"1196\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Mykhailo Bogdan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mykhailo Bogdan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Threat Modeling for Quality Assurance | Kindgeek","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance","og_locale":"en_US","og_type":"article","og_title":"Threat Modeling for Quality Assurance | Kindgeek","og_description":"In the article \u201cQA is the New Black,\u201d we argued that the \u201cnew-age\u201d Quality Assurance professionals should ensure the test-driven development throughout all stages of a product\u2019s life-cycle, starting from the conceptual level. Threat modeling is a powerful methodology that complements the test-driven development and can elevate the security and quality of a product to a whole new level.","og_url":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance","og_site_name":"Kindgeek","article_published_time":"2019-08-21T13:46:00+00:00","article_modified_time":"2025-01-08T12:50:36+00:00","og_image":[{"width":1800,"height":1196,"url":"https:\/\/kindgeek.com\/blog\/wp-content\/uploads\/2021\/01\/rtJ14FBFMMOg32Yl2iYV.jpg","type":"image\/jpeg"}],"author":"Mykhailo Bogdan","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Mykhailo Bogdan","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance#article","isPartOf":{"@id":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance"},"author":{"name":"Mykhailo Bogdan","@id":"https:\/\/kindgeek.com\/blog\/#\/schema\/person\/da573e7542c45dc047809322eb5dda40"},"headline":"Threat Modeling for Quality Assurance","datePublished":"2019-08-21T13:46:00+00:00","dateModified":"2025-01-08T12:50:36+00:00","mainEntityOfPage":{"@id":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance"},"wordCount":967,"commentCount":0,"publisher":{"@id":"https:\/\/kindgeek.com\/blog\/#organization"},"image":{"@id":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance#primaryimage"},"thumbnailUrl":"https:\/\/www.kindgeek.com\/blog\/wp-content\/uploads\/2021\/01\/rtJ14FBFMMOg32Yl2iYV.jpg","articleSection":["Software Development"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance","url":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance","name":"Threat Modeling for Quality Assurance | Kindgeek","isPartOf":{"@id":"https:\/\/kindgeek.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance#primaryimage"},"image":{"@id":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance#primaryimage"},"thumbnailUrl":"https:\/\/www.kindgeek.com\/blog\/wp-content\/uploads\/2021\/01\/rtJ14FBFMMOg32Yl2iYV.jpg","datePublished":"2019-08-21T13:46:00+00:00","dateModified":"2025-01-08T12:50:36+00:00","breadcrumb":{"@id":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance#primaryimage","url":"https:\/\/www.kindgeek.com\/blog\/wp-content\/uploads\/2021\/01\/rtJ14FBFMMOg32Yl2iYV.jpg","contentUrl":"https:\/\/www.kindgeek.com\/blog\/wp-content\/uploads\/2021\/01\/rtJ14FBFMMOg32Yl2iYV.jpg","width":1800,"height":1196},{"@type":"BreadcrumbList","@id":"https:\/\/kindgeek.com\/blog\/post\/threat-modeling-for-quality-assurance#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/kindgeek.com\/blog"},{"@type":"ListItem","position":2,"name":"Threat Modeling for Quality Assurance"}]},{"@type":"WebSite","@id":"https:\/\/kindgeek.com\/blog\/#website","url":"https:\/\/kindgeek.com\/blog\/","name":"Kindgeek","description":"Blog | Kindgeek","publisher":{"@id":"https:\/\/kindgeek.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kindgeek.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kindgeek.com\/blog\/#organization","name":"Kindgeek","url":"https:\/\/kindgeek.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kindgeek.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/kindgeek.com\/blog\/wp-content\/uploads\/2026\/02\/kg-logo-updated.png","contentUrl":"https:\/\/kindgeek.com\/blog\/wp-content\/uploads\/2026\/02\/kg-logo-updated.png","width":300,"height":60,"caption":"Kindgeek"},"image":{"@id":"https:\/\/kindgeek.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/kindgeek.com\/blog\/#\/schema\/person\/da573e7542c45dc047809322eb5dda40","name":"Mykhailo Bogdan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kindgeek.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.kindgeek.com\/blog\/wp-content\/uploads\/2021\/04\/mykhailo-150x150.jpeg","contentUrl":"https:\/\/www.kindgeek.com\/blog\/wp-content\/uploads\/2021\/04\/mykhailo-150x150.jpeg","caption":"Mykhailo Bogdan"},"url":"https:\/\/www.kindgeek.com\/blog\/post\/author\/mykhailo-bogdan"}]}},"_links":{"self":[{"href":"https:\/\/www.kindgeek.com\/blog\/wp-json\/wp\/v2\/posts\/1748","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kindgeek.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kindgeek.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kindgeek.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kindgeek.com\/blog\/wp-json\/wp\/v2\/comments?post=1748"}],"version-history":[{"count":7,"href":"https:\/\/www.kindgeek.com\/blog\/wp-json\/wp\/v2\/posts\/1748\/revisions"}],"predecessor-version":[{"id":5213,"href":"https:\/\/www.kindgeek.com\/blog\/wp-json\/wp\/v2\/posts\/1748\/revisions\/5213"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kindgeek.com\/blog\/wp-json\/wp\/v2\/media\/1753"}],"wp:attachment":[{"href":"https:\/\/www.kindgeek.com\/blog\/wp-json\/wp\/v2\/media?parent=1748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kindgeek.com\/blog\/wp-json\/wp\/v2\/categories?post=1748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kindgeek.com\/blog\/wp-json\/wp\/v2\/tags?post=1748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}