Fortifying Your Defenses with Threat Modeling
php[tek] 2025
What is Threat Modeling?
Systematic Security Analysis
Structured, repeatable process
Attacker's Perspective
Identify threats to protect assets
Outcome
Prioritized list of design improvements
Why Threat Model?
Proactive over Reactive
Catch vulnerabilities in design phase
Industry Mandate
NIST/US Executive Order urges as first security step
Reduce Risk
Anticipate attacks before code is written
When to Threat Model
Start Early
High-level model during requirements/design
Iterate Often
Update as features/code evolve
Continuous Process
Integrate into Agile/DevSecOps cycles
Threat Modeling Steps
Define the System
Inventory components, data flows, assets (DFDs)
Identify Threats
Apply STRIDE categories to find vulnerabilities
Prioritize Threats
Assess risk (likelihood × impact)
Plan Mitigations
Choose response for each threat
Review
Validate model, update with changes
System Modeling: Data Flows
Draw Data Flow Diagrams
Show components, data stores, trust zones
Identify Assets
Sensitive data, dependencies, external APIs
Useful Tools
OWASP Threat Dragon, draw.io, Microsoft Threat Modeling Tool
Identifying Threats with STRIDE
Spoofing
Authentication
Tampering
Integrity
Repudiation
Non-repudiation/logging
Information Disclosure
Confidentiality
Denial of Service
Availability
Elevation of Privilege
Authorization
STRIDE Examples (Web Context)
Spoofing
Credential theft (stolen JWT or session cookie)
Tampering
SQL Injection, malicious input altering DB
Repudiation
Missing logs or log manipulation
More STRIDE Examples
Information Disclosure
Data leak via API, misconfigured storage
Denial of Service
Bot-driven login attempts, resource exhaustion
Elevation of Privilege
User accessing admin actions (broken role checks)
Prioritizing Threats: DREAD & Risk
Risk Formula
Risk = Likelihood × Impact
Damage
How severe is the impact?
Reproduce
How easily can attack be repeated?
Exploit
How difficult is execution?
Affected Users
How many users impacted?
Discover
How easily found by attackers?
Response Strategies
Mitigate
Add controls (input validation, framework auth)
Eliminate
Remove the risky feature entirely
Transfer
Outsource/insure (third-party service)
Accept
Document and live with it (if risk is low)
Tools & Resources
Diagramming Tools
OWASP Threat Dragon, Microsoft Threat Modeling Tool
Code-Based Libraries
PyTM, threatspec, Threagile
Documentation
OWASP Cheat Sheet, NIST SP800-154, Threat Modeling Manifesto
Case Study – Laravel Debug XSS
Issue
Laravel 11.9–11.35 debug mode error page had reflected XSS
Cause
Debug page used {!! $exception->requestBody() !!} without escaping
Result
Attacker can craft URL that executes JS on error page
Fix
Never ship with debug on, Laravel patched in 11.36+
Laravel Security Best Practices
Secure Configuration
APP_DEBUG=false in production
Key Protection
Generate and protect APP_KEY
Prevent SQL Injection
Use Eloquent ORM / query builder
Mass-Assignment Protection
Use $fillable or $request->only()
Case Study – WordPress Plugin Attacks
302
New Vulnerabilities
WP plugin/theme vulns in one week (Oct 2024)
Millions
Sites at Risk
Data theft, site takeover potential
Scenario
June 2024 – Malicious code injected into popular WP plugins
Mechanism
Supply-chain style breach (compromised dev environment)
Lesson
Always model 3rd-party risks (plugins, composer packages)
Frameworks: Symfony & WordPress Tips
Symfony
- Use CSRF tokens on forms
- Doctrine parameter binding
- Security firewalls/guard authenticators
WordPress
- Keep core & plugins updated
- Use esc_html()/wp_kses() for output
- Use current_user_can() for capabilities
General PHP
- Validate/sanitize all input
- Use HTTPS/TLS
- Follow OWASP PHP security guides
Key Takeaways
Shift Security Left
Make security part of design and coding
Use STRIDE/DREAD
Systematically identify and rank threats
Stay Current
Revise models as your PHP app evolves
Leverage Resources
OWASP, NIST, community best practices
Be Practical
Simple checks stem from modeling
About the Speaker
Experience
Cybersecurity expert specializing in PHP, infrastructure, and AI/ML
Background
Security consultant and developer
Research
Active contributor to OWASP and PHP security community
Thank You / Q&A