Let’s Go Threat Modelling

Richard Adams's profile
Richard Adams

Quality Coach

Challenge Description

This activity is an opportunity to learn how to adopt threat modelling and what a session might look like, using Richard Adams’s card game. The goal is to show you how Threat Modelling works and also that threat modelling isn't for security engineers or lead developers. If anything, the tester mindset gives us the advantage. 

Instructions:

  1. Download the “Threat Model” and “Threat Modelling Table” handouts that accompany this activity.

  2. Go through each of the “Threat Agent” entries in the “Threat Modelling” table and identify a type of attack that might be carried out for each one.

For example, for Denial of Service, we could suggest that a DDOS attack in which a Web API is flooded with requests might be an attack to be concerned about.

Tip: Find resources online or discuss with one another what each of the threat types are and what types of attacks might be connected to them.

Wrap-up:

This activity shows how creating a model of a system and then applying the STRIDE mindset, can help us pick out potential threats. As testers we’re good at identifying risks and that skillset comes in handy when assessing for security threats, even if you might not know how to execute them.

What you’ll learn
  • Analyse visual models to spot security threats
  • Use STRIDE mnemonic to break down each of the types of threats

Prerequisites

This activity requires that you download the following documents:

Resources

RiskStorming image
An educational tool to explore Risk Analysis and Quality Strategy building with the whole team.
Explore MoT
TestBash Brighton 2025 image
Wed, 1 Oct 2025
On the 1st & 2nd of October, 2025 we'll be back to Brighton for another TestBash: the largest software testing conference in the UK
The Complete Guide To CSS Selectors
Learn how to create robust CSS selectors for your automation and much more...
This Week in Testing
Debrief the week in Testing via a community radio show hosted by Simon Tomes and members of the community