ABSTRACT
Threat modeling is the main analysis technique by which attack types are considered against digital systems. Security architects, whether they think about threat modeling formally or not, whether they think in terms of architecture or not, must identify the set of attacks that have potential for harm in order to build an appropriate collection of defenses—that is, threat model. A security architect must piece together computer science understanding about operating systems and loadable programs against types of attacks like a buffer overrun. For some attacks, there are preconditions without which that particular class of attacks may be irrelevant. For instance, SQL injection cannot take place except in the presence of an SQL language processor somewhere in the chain of data flow. By understanding the class of attack as an architectural pattern rather than as a specific attack, one can actually quite quickly build a set of relevant attacks and discount others for any particular system under analysis.
