Agent skill

threat-model-generator

Creates comprehensive threat models using STRIDE methodology with asset identification, threat enumeration, mitigation strategies, and residual risk assessment. Use for "threat modeling", "security analysis", "STRIDE", or "risk assessment".

View SKILL.md on GitHub Repository
Stars 23
Forks 2

Install this agent skill to your Project

npx add-skill https://github.com/patricio0312rev/skills/tree/main/security/threat-model-generator

SKILL.md

Threat Model Generator

Systematically identify and mitigate security threats.

STRIDE Methodology

S - Spoofing: Impersonating someone/something
T - Tampering: Modifying data or code
R - Repudiation: Claiming you didn't do something
I - Information Disclosure: Exposing protected information
D - Denial of Service: Making system unavailable
E - Elevation of Privilege: Gaining unauthorized permissions

Asset Identification

typescript
interface Asset {
  name: string;
  type: "data" | "service" | "user" | "infrastructure";
  sensitivity: "public" | "internal" | "confidential" | "restricted";
  criticality: "low" | "medium" | "high" | "critical";
}

const assets: Asset[] = [
  {
    name: "User Credentials (passwords, tokens)",
    type: "data",
    sensitivity: "restricted",
    criticality: "critical",
  },
  {
    name: "Payment Information (credit cards)",
    type: "data",
    sensitivity: "restricted",
    criticality: "critical",
  },
  {
    name: "API Service",
    type: "service",
    sensitivity: "internal",
    criticality: "high",
  },
  {
    name: "User Profile Data",
    type: "data",
    sensitivity: "confidential",
    criticality: "medium",
  },
];

Threat Enumeration

typescript
interface Threat {
  id: string;
  category: "S" | "T" | "R" | "I" | "D" | "E";
  description: string;
  asset: string;
  attackVector: string;
  likelihood: "low" | "medium" | "high";
  impact: "low" | "medium" | "high" | "critical";
  riskScore: number;
}

const threats: Threat[] = [
  {
    id: "T-001",
    category: "S",
    description: "Attacker impersonates user with stolen credentials",
    asset: "User Credentials",
    attackVector: "Phishing, credential stuffing, brute force",
    likelihood: "high",
    impact: "critical",
    riskScore: 9,
  },
  {
    id: "T-002",
    category: "T",
    description: "SQL injection allows data modification",
    asset: "User Profile Data",
    attackVector: "Malicious SQL in input fields",
    likelihood: "medium",
    impact: "high",
    riskScore: 7,
  },
  {
    id: "T-003",
    category: "I",
    description: "API exposes sensitive user data without auth",
    asset: "User Profile Data",
    attackVector: "Direct API access, IDOR",
    likelihood: "medium",
    impact: "high",
    riskScore: 7,
  },
  {
    id: "T-004",
    category: "D",
    description: "DDoS attack overwhelms API",
    asset: "API Service",
    attackVector: "Volumetric attack, application-layer flood",
    likelihood: "medium",
    impact: "high",
    riskScore: 7,
  },
  {
    id: "T-005",
    category: "E",
    description: "Privilege escalation via role manipulation",
    asset: "User Profile Data",
    attackVector: "Parameter tampering, insecure direct object reference",
    likelihood: "low",
    impact: "critical",
    riskScore: 6,
  },
];

Mitigation Strategies

typescript
interface Mitigation {
  threatId: string;
  strategy: string;
  implementation: string;
  effectiveness: "low" | "medium" | "high";
  cost: "low" | "medium" | "high";
  priority: 1 | 2 | 3;
}

const mitigations: Mitigation[] = [
  {
    threatId: "T-001",
    strategy: "Multi-factor authentication",
    implementation: "TOTP via authenticator app + SMS backup",
    effectiveness: "high",
    cost: "medium",
    priority: 1,
  },
  {
    threatId: "T-001",
    strategy: "Rate limiting on login attempts",
    implementation: "Max 5 attempts per 15 minutes per IP",
    effectiveness: "medium",
    cost: "low",
    priority: 1,
  },
  {
    threatId: "T-002",
    strategy: "Parameterized queries",
    implementation: "Use ORM (Prisma) for all database access",
    effectiveness: "high",
    cost: "low",
    priority: 1,
  },
  {
    threatId: "T-003",
    strategy: "Authentication & Authorization",
    implementation: "JWT tokens + RBAC middleware on all routes",
    effectiveness: "high",
    cost: "low",
    priority: 1,
  },
  {
    threatId: "T-004",
    strategy: "Rate limiting & CDN",
    implementation: "CloudFlare with rate limits + WAF rules",
    effectiveness: "high",
    cost: "medium",
    priority: 2,
  },
  {
    threatId: "T-005",
    strategy: "Role-based access control",
    implementation: "Enforce RBAC checks on all mutations",
    effectiveness: "high",
    cost: "low",
    priority: 1,
  },
];

Residual Risk Assessment

typescript
interface ResidualRisk {
  threatId: string;
  originalRisk: number;
  mitigatedRisk: number;
  residualRisk: number;
  acceptanceReason?: string;
  monitoringRequired: boolean;
}

function calculateResidualRisk(
  threat: Threat,
  mitigations: Mitigation[]
): ResidualRisk {
  const threatMitigations = mitigations.filter((m) => m.threatId === threat.id);

  // Calculate risk reduction
  const maxEffectiveness = Math.max(
    ...threatMitigations.map((m) => {
      if (m.effectiveness === "high") return 0.8;
      if (m.effectiveness === "medium") return 0.5;
      return 0.2;
    })
  );

  const mitigatedRisk = threat.riskScore * (1 - maxEffectiveness);

  return {
    threatId: threat.id,
    originalRisk: threat.riskScore,
    mitigatedRisk,
    residualRisk: Math.round(mitigatedRisk),
    acceptanceReason:
      mitigatedRisk < 3 ? "Risk reduced to acceptable level" : undefined,
    monitoringRequired: mitigatedRisk >= 3,
  };
}

Threat Model Document Template

markdown
# Threat Model: User Authentication System

**Date:** 2024-01-15
**Owner:** Security Team
**Reviewers:** Engineering, Product

## 1. System Overview

### Architecture

- Frontend: React SPA
- Backend: Node.js + Express
- Database: PostgreSQL
- Auth: JWT tokens

### Trust Boundaries

- Internet → CDN
- CDN → Backend API
- Backend API → Database

## 2. Assets

| Asset            | Type | Sensitivity  | Criticality |
| ---------------- | ---- | ------------ | ----------- |
| User Credentials | Data | Restricted   | Critical    |
| Session Tokens   | Data | Restricted   | Critical    |
| User Profile     | Data | Confidential | Medium      |

## 3. Threats (STRIDE)

### Spoofing (S)

**T-001: Credential Theft**

- **Likelihood:** High
- **Impact:** Critical
- **Risk Score:** 9
- **Attack Vector:** Phishing, credential stuffing
- **Mitigations:**
  - MFA required for all accounts
  - Rate limiting on login (5 attempts/15min)
  - Breach password detection
- **Residual Risk:** 3 (Low)

### Tampering (T)

**T-002: Token Modification**

- **Likelihood:** Medium
- **Impact:** High
- **Risk Score:** 7
- **Attack Vector:** Token tampering, replay attacks
- **Mitigations:**
  - HMAC signature on JWT
  - Short token expiry (15 min)
  - Refresh token rotation
- **Residual Risk:** 2 (Low)

### Information Disclosure (I)

**T-003: Sensitive Data Leakage**

- **Likelihood:** Medium
- **Impact:** High
- **Risk Score:** 7
- **Attack Vector:** Error messages, logs, API responses
- **Mitigations:**
  - Generic error messages
  - PII redaction in logs
  - HTTPS everywhere
- **Residual Risk:** 2 (Low)

## 4. Risk Summary

| Priority | Threats | Mitigated | Residual Risk |
| -------- | ------- | --------- | ------------- |
| P1       | 3       | 3         | Low           |
| P2       | 2       | 1         | Medium        |
| P3       | 1       | 0         | Medium        |

## 5. Recommendations

1. **Immediate (P1)**

   - Implement MFA
   - Add rate limiting
   - Deploy PII redaction

2. **Short-term (P2)**

   - Add DDoS protection
   - Implement RBAC auditing

3. **Long-term (P3)**
   - Security training for team
   - Penetration testing

## 6. Acceptance

- [ ] Security Team Approval
- [ ] Engineering Lead Approval
- [ ] Product Manager Approval

Automated Threat Detection

typescript
// scripts/detect-threats.ts
interface CodePattern {
  pattern: RegExp;
  threat: string;
  severity: "low" | "medium" | "high" | "critical";
}

const patterns: CodePattern[] = [
  {
    pattern: /eval\(/,
    threat: "Code injection via eval()",
    severity: "critical",
  },
  {
    pattern: /innerHTML\s*=/,
    threat: "XSS via innerHTML",
    severity: "high",
  },
  {
    pattern: /process\.env\./,
    threat: "Hardcoded environment variable",
    severity: "medium",
  },
  {
    pattern: /password|secret|key/i,
    threat: "Potential secret in code",
    severity: "high",
  },
];

Best Practices

  1. Regular updates: Quarterly threat model reviews
  2. Include stakeholders: Security, Engineering, Product
  3. Document decisions: Why threats accepted/mitigated
  4. Test mitigations: Verify controls work
  5. Monitor residual risks: Track over time
  6. Automate where possible: Integrate into CI/CD

Output Checklist

  • Assets identified and classified
  • Threats enumerated using STRIDE
  • Attack vectors documented
  • Mitigations defined for each threat
  • Residual risk calculated
  • Risk acceptance documented
  • Monitoring plan created
  • Threat model document generated
  • Stakeholder approval obtained
  • Review schedule set

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

patricio0312rev/skills

rate-limiting-abuse-protection

Implements rate limiting and abuse prevention with per-route policies, IP/user-based limits, sliding windows, safe error responses, and observability. Use when adding "rate limiting", "API protection", "abuse prevention", or "DDoS protection".

23 2
Explore
patricio0312rev/skills

rbac-permissions-builder

Implements role-based access control with permission matrix, route guards, policy functions, and UI permission hints. Provides middleware/guards, helper utilities, test suggestions, and permission checking patterns. Use when building "RBAC", "permissions", "access control", or "authorization".

23 2
Explore
patricio0312rev/skills

websocket-realtime-builder

Implements real-time features using WebSockets with Socket.io, rooms, authentication, and reconnection handling. Use when users request "real-time updates", "WebSocket", "Socket.io", "live chat", or "push notifications".

23 2
Explore
patricio0312rev/skills

webhook-receiver-hardener

Secures webhook receivers with signature verification, retry handling, deduplication, idempotency keys, and error responses. Provides verification code, dedupe storage strategy, runbook for incidents. Use when implementing "webhooks", "webhook security", "event receivers", or "third-party integrations".

23 2
Explore
patricio0312rev/skills

auth-module-builder

Implements secure authentication patterns including login/registration, session management, JWT tokens, password hashing, cookie settings, and CSRF protection. Provides auth routes, middleware, security configurations, and threat model documentation. Use when building "authentication", "login system", "JWT auth", or "session management".

23 2
Explore
patricio0312rev/skills

rest-to-graphql-migrator

Migrates REST APIs to GraphQL incrementally with schema stitching, REST datasources, and gradual endpoint migration. Use when users request "migrate to GraphQL", "REST to GraphQL", "GraphQL wrapper", or "API modernization".

23 2
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results