threat-modeling-expert
Perform expert threat modeling for secure system design
Security teams struggle to identify threats systematically during system design. This skill applies structured methodologies like STRIDE and attack trees to find vulnerabilities before deployment.
スキルZIPをダウンロード
Claudeでアップロード
設定 → 機能 → スキル → スキルをアップロードへ移動
オンにして利用開始
テストする
「threat-modeling-expert」を使用しています。 Analyze a login API endpoint that accepts username/password and returns JWT tokens
期待される結果:
STRIDE Analysis Results:
- Spoofing: Credential brute-forcing, session hijacking via stolen tokens
- Tampering: Token manipulation, request interception and modification
- Repudiation: Missing audit logs for authentication events
- Information Disclosure: Credentials in transit, error messages revealing valid usernames
- Denial of Service: Rate limiting gaps, account lockout bypass
- Elevation of Privilege: Token privilege escalation, role manipulation
Top Priority: Implement rate limiting, secure token storage, and comprehensive auth logging.
「threat-modeling-expert」を使用しています。 Build attack tree for 'Steal customer payment data from e-commerce platform'
期待される結果:
Attack Tree Root: Steal Payment Data
├─ Compromise Application Layer
│ ├─ SQL injection on checkout form
│ ├─ XSS to capture card entry
│ └─ API abuse to enumerate transactions
├─ Compromise Infrastructure
│ ├─ Intercept network traffic
│ ├─ Access database backups
│ └─ Exploit logging systems
└─ Social Engineering
├─ Phishing support staff
└─ Impersonate legitimate users
Recommended Controls: Input validation, WAF rules, encryption at rest, network segmentation, staff training
セキュリティ監査
安全This skill contains documentation-only content (SKILL.md) describing threat modeling methodologies. All 7 static analysis findings for 'Weak cryptographic algorithm' and 'System reconnaissance' are false positives caused by security terminology in documentation text matching pattern detectors. No executable code, cryptographic operations, or actual reconnaissance capabilities exist. Safe for publication.
検出されたパターン
品質スコア
作れるもの
Security Architecture Review
Perform comprehensive threat modeling during system design phase to identify vulnerabilities before development begins.
Attack Surface Analysis
Build attack trees for critical features to understand potential exploitation paths and prioritize defenses.
Security Documentation
Generate structured threat models and security requirements for compliance audits and handoff to operations teams.
これらのプロンプトを試す
Analyze this system description using STRIDE methodology: [describe your system]. List potential threats for each STRIDE category with one-sentence descriptions.
Here is my data flow diagram: [describe data flows, trust boundaries, and components]. Apply STRIDE to each data flow and component. For each threat identified, provide a risk score (1-5) and recommended mitigation.
Build an attack tree for this scenario: [describe the attack goal, e.g., 'Unauthorized access to user database']. Start with the root goal, identify main attack paths as first-level nodes, then expand each path with specific techniques. Include likelihood estimates for leaf nodes.
Based on this threat model: [paste threats], extract specific security requirements for each identified risk. Format each requirement as: 'The system SHALL [action] to prevent/mitigate [threat]'. Organize requirements by functional area and prioritize by risk score.
ベストプラクティス
- Involve developers and architects in threat modeling sessions for accurate system understanding
- Focus analysis on data flows and trust boundaries rather than just component lists
- Update threat models after every significant architecture change or new feature addition
回避
- Performing threat modeling only once at project start without follow-up reviews
- Creating overly detailed attack trees that become unmaintainable documentation
- Identifying threats without linking them to specific mitigations and owners