What is threat modeling, and how would you approach it for a new feature you're building?
technical-conceptual · Junior level · cloud-devops-security
What the interviewer is really asking
Assess whether the candidate understands threat modeling as a structured, design-phase exercise to find security flaws before code ships, and can name a concrete method (e.g. STRIDE and the four-question framework) rather than treating it as a vague 'think about security' step.
What to say
- Define it as a structured way to find security weaknesses during design, before any code is written, by asking the four core questions: what are we building, what can go wrong, what are we going to do about it, and did we do a good enough job.
- Describe the mechanics: sketch a data flow diagram of the feature (external entities, processes, data stores, data flows) and mark the trust boundaries where data crosses a privilege level — those boundaries are where most threats live.
- Name a taxonomy like STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) so you enumerate threats systematically per element instead of relying on gut feel, then prioritise and assign a mitigation to each real one.
What to avoid
- Treating it as a post-launch pentest or a one-time checklist rather than a design-phase activity that's cheapest to act on before code exists.
- Saying 'I'd just run a vulnerability scanner' — scanning finds known issues in shipped code; threat modeling finds design flaws a scanner can't see.
- Listing STRIDE letters by rote with no idea how to apply them to an actual diagram or feature.
Example answers
Strong: For a new file-upload feature I drew a quick data flow diagram — browser to API to an S3 bucket — and the trust boundary was the API ingest point. Walking STRIDE per element, the threats that mattered were Tampering (someone uploading a malicious file type) and Information disclosure (a guessable object URL), so we added server-side content-type validation and signed, time-limited URLs before we wrote the upload handler.
Weak: Threat modeling is when the security team runs a penetration test on the app once it's deployed and sends us the findings.