How to Threat Model Features with Questionnaires

View the original Working Session content


A set of questions and associated threats and mitigations to serve as a list to be used as inspiration when threat modeling.


Instead of diagramming (which takes a lot of time) can we use questions to create new features? This would allow developers to Threat Model new features and scale threat modeling in an organisation.

This type of questionnaire is used in the Slack SDL and Irius tool; however, they are open source and should not be confused with these products.

The Scope

The scope for the changes the developers want to make is: - A new feature is requested - It has a textbox with Nickname - It has a button to say hello - The username is reflected when pressing the button

What questions do we need to ask developers to replace threat modeling?

The Questions

  1. Is the data stored?

  2. Is the data sent to the server?

  3. Is it sensitive data?

  4. Is it PII data including IP addresses?

    • GDPR
    • What Data?
  5. Is the data displayed back to the user?

  6. Is the user authenticated?

  7. Do we need to authenticate the source of the data?

    • Can we accept data from an anonymous source?
  8. Are you adding a new data flow?

  9. Are you changing the fields in an existing API?

  10. Are you adding a new process?

  11. Are you using a new component or API?

  12. Are you adding a new storage system / component?

  13. Is the availability of this feature a concern?

  14. What are the performance requirements?

  15. Does the user have the required role to access this functionality?

  16. Does the data need to be accessed by the user?

  17. Where does the code for the feature run?

Question Types

  • Do you have control? (Yes or No)
  • What sort of data is this? (Short Text)
  • How is this used? (Prompt Thinking)


Question 1 Y+lack of data integrity, bus, logic

Question 2 -Y- unaudited data –injection attacks

Question 3-Y+Question 2 information disclosure of sensitive data in transit

Question 3-Y+Question 1 information disclosure of sensitive data at rest


Make questions available by SCRUM

Working Materials


Session organiser(s)

Stephen de Vries Stephen de Vries


Stephen de Vries, Paul Santapau , Adam Shostack Adam Shostack , Tony Richards Tony Richards , Aurelijus Stanislovaitis Aurelijus Stanislovaitis , Fraser Scott Fraser Scott , Luis Saiz Luis Saiz , Ruben Tronçon Ruben Tronçon , Sara Davis Sara Davis , Stuart Winter-Tear Stuart Winter-Tear , Tash Norris Tash Norris

Attached materials: