<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="3.10.0">Jekyll</generator><link href="https://bhandarisandeep.com/feed.xml" rel="self" type="application/atom+xml" /><link href="https://bhandarisandeep.com/" rel="alternate" type="text/html" /><updated>2026-07-07T19:17:17+00:00</updated><id>https://bhandarisandeep.com/feed.xml</id><title type="html">Sandeep Bhandari</title><subtitle>Application Security Engineer — notes on web/mobile security, threat modeling, and AppSec at scale.</subtitle><author><name>Sandeep Bhandari</name></author><entry><title type="html">Threat Modeling: A Practical Guide to STRIDE and Beyond</title><link href="https://bhandarisandeep.com/posts/2026/07/08/threat-modeling-a-practical-guide/" rel="alternate" type="text/html" title="Threat Modeling: A Practical Guide to STRIDE and Beyond" /><published>2026-07-08T08:30:00+00:00</published><updated>2026-07-08T08:30:00+00:00</updated><id>https://bhandarisandeep.com/posts/2026/07/08/threat-modeling-a-practical-guide</id><content type="html" xml:base="https://bhandarisandeep.com/posts/2026/07/08/threat-modeling-a-practical-guide/"><![CDATA[<p>Threat modeling is one of the highest-leverage activities in application security —
done well, it catches design flaws before a single line of vulnerable code ships.
This is my working reference: how to start, which methodology to reach for, and a
deep dive into STRIDE with the edge cases that actually trip people up.</p>

<h2 id="how-to-start-threat-modeling">How to Start Threat Modeling</h2>

<p><img src="/assets/img/tm-process.svg" alt="Six-step threat modeling process" /></p>

<ol>
  <li><strong>Define the System Scope</strong>
    <ul>
      <li>Identify what you’re protecting (assets, data, functionality)</li>
      <li>Understand the system boundaries</li>
      <li>Document the architecture and data flows</li>
    </ul>
  </li>
  <li><strong>Create System Models</strong>
    <ul>
      <li>Data Flow Diagrams (DFDs)</li>
      <li>Architecture diagrams</li>
      <li>Trust boundaries identification</li>
    </ul>
  </li>
  <li><strong>Choose Your Methodology</strong>
    <ul>
      <li>Based on your context, team expertise, and objectives</li>
    </ul>
  </li>
  <li><strong>Identify Threats</strong>
    <ul>
      <li>Systematically go through each component</li>
      <li>Consider attack vectors and threat actors</li>
    </ul>
  </li>
  <li><strong>Assess and Prioritize</strong>
    <ul>
      <li>Evaluate likelihood and impact</li>
      <li>Prioritize based on risk</li>
    </ul>
  </li>
  <li><strong>Define Mitigations</strong>
    <ul>
      <li>Security controls and countermeasures</li>
      <li>Residual risk acceptance</li>
    </ul>
  </li>
</ol>

<h2 id="threat-modeling-methodologies-comparison">Threat Modeling Methodologies Comparison</h2>

<h3 id="stride-microsoft">STRIDE (Microsoft)</h3>

<p><strong>Best for:</strong> Application-level security, systematic coverage
<strong>Strengths:</strong> Comprehensive, well-documented, easy to learn
<strong>Weaknesses:</strong> Can be overwhelming for large systems, doesn’t prioritize by default</p>

<h3 id="pasta-process-for-attack-simulation-and-threat-analysis">PASTA (Process for Attack Simulation and Threat Analysis)</h3>

<p><strong>Best for:</strong> Risk-centric analysis, business alignment
<strong>Strengths:</strong> Business-focused, considers attacker perspective
<strong>Weaknesses:</strong> More complex, requires more resources</p>

<h3 id="octave-operationally-critical-threat-asset-and-vulnerability-evaluation">OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)</h3>

<p><strong>Best for:</strong> Organizational risk management
<strong>Strengths:</strong> Asset-focused, considers operational impact
<strong>Weaknesses:</strong> Heavy process, less technical detail</p>

<h3 id="attack-trees">Attack Trees</h3>

<p><strong>Best for:</strong> Specific attack scenario analysis
<strong>Strengths:</strong> Visual, easy to understand attack paths
<strong>Weaknesses:</strong> Limited scope, doesn’t cover all threat types</p>

<h2 id="stride-methodology-deep-dive">STRIDE Methodology Deep Dive</h2>

<p><img src="/assets/img/stride.svg" alt="STRIDE categories and the security property each violates" /></p>

<h3 id="the-six-categories-with-edge-cases">The Six Categories with Edge Cases</h3>

<h4 id="1-spoofing-identity">1. Spoofing (Identity)</h4>

<p><strong>Definition:</strong> Pretending to be someone/something else</p>

<p><strong>Clear Examples:</strong></p>

<ul>
  <li>Using stolen credentials to login</li>
  <li>IP address spoofing</li>
  <li>Email spoofing</li>
  <li>Certificate spoofing</li>
</ul>

<p><strong>Edge Cases:</strong></p>

<ul>
  <li>Session hijacking (could be spoofing or tampering)</li>
  <li>Man-in-the-middle attacks (involves both spoofing and tampering)</li>
</ul>

<h4 id="2-tampering-integrity">2. Tampering (Integrity)</h4>

<p><strong>Definition:</strong> Modifying data or code without authorization</p>

<p><strong>Clear Examples:</strong></p>

<ul>
  <li>Modifying database records</li>
  <li>Altering configuration files</li>
  <li>Code injection attacks</li>
  <li>Packet modification in transit</li>
</ul>

<p><strong>Edge Cases:</strong></p>

<ul>
  <li>Parameter manipulation (could be tampering or elevation of privilege)</li>
  <li>Race conditions leading to data corruption</li>
</ul>

<h4 id="3-repudiation-non-repudiation">3. Repudiation (Non-repudiation)</h4>

<p><strong>Definition:</strong> Denying that an action was performed</p>

<p><strong>Clear Examples:</strong></p>

<ul>
  <li>User denying they made a transaction</li>
  <li>Admin denying they deleted files</li>
  <li>Lack of audit logs</li>
</ul>

<p><strong>Edge Cases:</strong></p>

<ul>
  <li>Shared accounts (makes repudiation easier)</li>
  <li>Clock synchronization issues</li>
</ul>

<h4 id="4-information-disclosure-confidentiality">4. Information Disclosure (Confidentiality)</h4>

<p><strong>Definition:</strong> Exposing information to unauthorized parties</p>

<p><strong>Clear Examples:</strong></p>

<ul>
  <li>SQL injection revealing data</li>
  <li>Directory traversal attacks</li>
  <li>Unencrypted data transmission</li>
  <li>Error messages revealing system info</li>
</ul>

<p><strong>Edge Cases:</strong></p>

<ul>
  <li>Timing attacks (information through response times)</li>
  <li>Side-channel attacks</li>
</ul>

<h4 id="5-denial-of-service-availability">5. Denial of Service (Availability)</h4>

<p><strong>Definition:</strong> Making resources unavailable</p>

<p><strong>Clear Examples:</strong></p>

<ul>
  <li>DDoS attacks</li>
  <li>Resource exhaustion</li>
  <li>System crashes</li>
  <li>Network flooding</li>
</ul>

<p><strong>Edge Cases:</strong></p>

<ul>
  <li>Algorithmic complexity attacks</li>
  <li>Storage exhaustion through log flooding</li>
</ul>

<h4 id="6-elevation-of-privilege-authorization">6. Elevation of Privilege (Authorization)</h4>

<p><strong>Definition:</strong> Gaining higher privileges than intended</p>

<p><strong>Clear Examples:</strong></p>

<ul>
  <li>Buffer overflow leading to admin access</li>
  <li>SQL injection with admin queries</li>
  <li>Privilege escalation bugs</li>
  <li>Insecure direct object references</li>
</ul>

<p><strong>Edge Cases:</strong></p>

<ul>
  <li>Horizontal privilege escalation (accessing peer data)</li>
  <li>Time-of-check-time-of-use (TOCTTOU) attacks</li>
</ul>

<h2 id="10-examples-clarifying-stride-differences">10 Examples Clarifying STRIDE Differences</h2>

<h3 id="1-login-page-attack">1. Login Page Attack</h3>

<ul>
  <li><strong>Spoofing:</strong> Using stolen username/password</li>
  <li><strong>Tampering:</strong> Modifying login request to change user role parameter</li>
  <li><strong>Elevation of Privilege:</strong> Exploiting a bug that grants admin access after login</li>
</ul>

<h3 id="2-database-attack">2. Database Attack</h3>

<ul>
  <li><strong>Spoofing:</strong> Connecting with fake service account credentials</li>
  <li><strong>Tampering:</strong> SQL injection modifying user records</li>
  <li><strong>Information Disclosure:</strong> SQL injection extracting sensitive data</li>
  <li><strong>Elevation of Privilege:</strong> Using SQL injection to execute admin functions</li>
</ul>

<h3 id="3-api-attack">3. API Attack</h3>

<ul>
  <li><strong>Spoofing:</strong> Using forged JWT tokens</li>
  <li><strong>Tampering:</strong> Modifying API request parameters</li>
  <li><strong>Information Disclosure:</strong> Accessing API endpoints without authorization</li>
  <li><strong>Elevation of Privilege:</strong> Exploiting IDOR to access admin functions</li>
</ul>

<h3 id="4-file-system-attack">4. File System Attack</h3>

<ul>
  <li><strong>Spoofing:</strong> Impersonating a legitimate process</li>
  <li><strong>Tampering:</strong> Modifying configuration files</li>
  <li><strong>Information Disclosure:</strong> Reading sensitive files via path traversal</li>
  <li><strong>Elevation of Privilege:</strong> Exploiting file permissions to gain root access</li>
</ul>

<h3 id="5-network-attack">5. Network Attack</h3>

<ul>
  <li><strong>Spoofing:</strong> ARP spoofing to intercept traffic</li>
  <li><strong>Tampering:</strong> Modifying packets in transit</li>
  <li><strong>Information Disclosure:</strong> Packet sniffing on unencrypted channels</li>
  <li><strong>Denial of Service:</strong> Network flooding</li>
</ul>

<h3 id="6-session-management">6. Session Management</h3>

<ul>
  <li><strong>Spoofing:</strong> Session hijacking with stolen session ID</li>
  <li><strong>Tampering:</strong> Modifying session data</li>
  <li><strong>Information Disclosure:</strong> Session ID exposure in URLs</li>
  <li><strong>Elevation of Privilege:</strong> Session fixation leading to admin access</li>
</ul>

<h3 id="7-email-system">7. Email System</h3>

<ul>
  <li><strong>Spoofing:</strong> Sending emails with forged sender addresses</li>
  <li><strong>Tampering:</strong> Modifying email content in transit</li>
  <li><strong>Information Disclosure:</strong> Reading others’ emails</li>
  <li><strong>Repudiation:</strong> Denying sending malicious emails</li>
</ul>

<h3 id="8-web-application">8. Web Application</h3>

<ul>
  <li><strong>Spoofing:</strong> CSRF attacks impersonating user actions</li>
  <li><strong>Tampering:</strong> XSS modifying page content</li>
  <li><strong>Information Disclosure:</strong> XSS stealing cookies/tokens</li>
  <li><strong>Elevation of Privilege:</strong> XSS leading to admin panel access</li>
</ul>

<h3 id="9-mobile-application">9. Mobile Application</h3>

<ul>
  <li><strong>Spoofing:</strong> App impersonation through repackaging</li>
  <li><strong>Tampering:</strong> Runtime manipulation of app behavior</li>
  <li><strong>Information Disclosure:</strong> Insecure data storage</li>
  <li><strong>Elevation of Privilege:</strong> Rooting/jailbreaking exploitation</li>
</ul>

<h3 id="10-cloud-infrastructure">10. Cloud Infrastructure</h3>

<ul>
  <li><strong>Spoofing:</strong> Using compromised cloud credentials</li>
  <li><strong>Tampering:</strong> Modifying cloud configurations</li>
  <li><strong>Information Disclosure:</strong> Misconfigured S3 buckets</li>
  <li><strong>Elevation of Privilege:</strong> IAM privilege escalation</li>
</ul>

<h2 id="a-common-point-of-confusion">A Common Point of Confusion</h2>

<p><strong>Scenario:</strong> Tampering with login request parameters (like user role)</p>

<p><strong>Analysis:</strong></p>

<ul>
  <li><strong>Primary Category:</strong> Tampering (you’re modifying the request)</li>
  <li><strong>Secondary Effect:</strong> Elevation of Privilege (the result is higher access)</li>
  <li><strong>Not Spoofing:</strong> You’re not impersonating someone else’s identity</li>
</ul>

<blockquote>
  <p><strong>Rule of Thumb:</strong> Categorize by the <strong>attack method</strong>, not the <strong>outcome</strong>. The
outcome helps you understand impact, but STRIDE categorizes the attack vector.</p>
</blockquote>

<h2 id="alternative-threat-modeling-approaches">Alternative Threat Modeling Approaches</h2>

<p>Once you’re comfortable with STRIDE, these approaches complement it well:</p>

<h3 id="1-pasta-recommended-addition">1. PASTA (Recommended Addition)</h3>

<ul>
  <li>More business-risk focused</li>
  <li>Seven-stage process</li>
  <li>Better for executive communication</li>
  <li>Complements STRIDE’s technical focus</li>
</ul>

<h3 id="2-linddun-for-privacy">2. LINDDUN (For Privacy)</h3>

<ul>
  <li>Privacy-focused threat modeling</li>
  <li>Complements STRIDE for GDPR/privacy requirements</li>
  <li>Seven categories: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, Non-compliance</li>
</ul>

<h3 id="3-cvss--stride">3. CVSS + STRIDE</h3>

<ul>
  <li>Use CVSS scoring with STRIDE categories</li>
  <li>Better quantitative risk assessment</li>
  <li>Industry-standard scoring</li>
</ul>

<h2 id="threat-vs-risk">Threat vs. Risk</h2>

<p>A statement I hear often: <em>“A threat is a possible harm/attack to the application,
where risk is the overall damage due to that harm or attack.”</em> That’s <strong>partially
correct</strong>, but it’s worth being precise, because the distinction drives how you
prioritize.</p>

<p><img src="/assets/img/risk-equation.svg" alt="Risk equals Threat times Vulnerability times Impact" /></p>

<p><strong>More Precise Definitions:</strong></p>

<ul>
  <li><strong>Threat:</strong> A potential danger or adverse event that could exploit a vulnerability</li>
  <li><strong>Vulnerability:</strong> A weakness that can be exploited</li>
  <li><strong>Risk:</strong> The potential for loss/damage when a threat exploits a vulnerability</li>
  <li><strong>Impact:</strong> The actual damage/consequence if the risk materializes</li>
</ul>

<p><strong>Formula:</strong> <code class="language-plaintext highlighter-rouge">Risk = Threat × Vulnerability × Impact</code></p>

<p><strong>Better Statement:</strong> <em>“A threat is a potential attack or adverse event that could
exploit system vulnerabilities. Risk is the likelihood of a threat successfully
exploiting a vulnerability multiplied by the potential impact/damage.”</em></p>

<p><strong>Worked Example:</strong></p>

<ul>
  <li><strong>Threat:</strong> SQL injection attack</li>
  <li><strong>Vulnerability:</strong> Unsanitized input fields</li>
  <li><strong>Risk:</strong> High likelihood of data breach with significant financial/reputational damage</li>
  <li><strong>Impact:</strong> Loss of customer data, regulatory fines, reputation damage</li>
</ul>

<p>This framework is what lets you move from <em>identifying</em> threats (STRIDE) to
<em>quantifying and prioritizing</em> risks for business decision-making — which is where
threat modeling stops being an academic exercise and starts protecting the product.</p>]]></content><author><name>Sandeep Bhandari</name></author><category term="threat-modeling" /><category term="stride" /><category term="appsec" /><category term="security" /><summary type="html"><![CDATA[How to start threat modeling, a comparison of the major methodologies, a deep dive into STRIDE with edge cases and ten worked examples, and how to move from threats to risk.]]></summary><media:thumbnail xmlns:media="http://search.yahoo.com/mrss/" url="https://bhandarisandeep.com/assets/img/card-threat-modeling.svg" /><media:content medium="image" url="https://bhandarisandeep.com/assets/img/card-threat-modeling.svg" xmlns:media="http://search.yahoo.com/mrss/" /></entry><entry><title type="html">Hello, World: Why I’m Starting This Blog</title><link href="https://bhandarisandeep.com/posts/2026/07/08/hello-world/" rel="alternate" type="text/html" title="Hello, World: Why I’m Starting This Blog" /><published>2026-07-08T04:30:00+00:00</published><updated>2026-07-08T04:30:00+00:00</updated><id>https://bhandarisandeep.com/posts/2026/07/08/hello-world</id><content type="html" xml:base="https://bhandarisandeep.com/posts/2026/07/08/hello-world/"><![CDATA[<p>Welcome to the first post. I’ve spent the last several years working in application
and product security — threat modeling, code review, mobile security, and hunting
for scalable, high-impact issues. This blog is where I’ll write some of that down.</p>

<h2 id="what-to-expect">What to expect</h2>

<p>A few themes I want to cover over time:</p>

<ul>
  <li><strong>Threat modeling in practice</strong> — not the textbook version, but what actually
works when you’re sitting with an engineering team.</li>
  <li><strong>Mobile &amp; web security</strong> — real vulnerability patterns, and how to fix them
centrally instead of one ticket at a time.</li>
  <li><strong>AppSec at scale</strong> — using automation and AI-driven tooling to make security
keep up with engineering velocity.</li>
</ul>

<h2 id="how-this-is-built">How this is built</h2>

<p>This site is a hand-built static page, and the blog runs on <strong>Jekyll</strong> — which
GitHub Pages builds automatically. Writing a new post is just adding a Markdown
file like this one. No build server, no database.</p>

<blockquote>
  <p>Security isn’t a feature you bolt on. It’s a property you design in.</p>
</blockquote>

<p>More soon.</p>]]></content><author><name>Sandeep Bhandari</name></author><category term="meta" /><category term="appsec" /><summary type="html"><![CDATA[Kicking off a space to write about application security, threat modeling, and the lessons I pick up building secure systems at scale.]]></summary><media:thumbnail xmlns:media="http://search.yahoo.com/mrss/" url="https://bhandarisandeep.com/assets/img/card-hello-world.svg" /><media:content medium="image" url="https://bhandarisandeep.com/assets/img/card-hello-world.svg" xmlns:media="http://search.yahoo.com/mrss/" /></entry></feed>