Threat Model Thursday: Data Flow Diagrams

This week’s threat model Thursday looks at an academic paper, Security Threat Modeling: Are Data Flow Diagrams Enough? by Laurens Sion and colleagues. The short (4 page), readable paper looks at the strengths and weaknesses of forms of DFDs, and what we might achieve with variations on the form and different investments of effort. I take issue with the framing of ‘enough’, as if there’s a single definition of enough that’s enough for all of us, but that’s the authors’ choice. Anyone who thinks deeply about how threat modeling works will benefit from reading the paper and thinking about how those tradeoffs work for their organization.

Also interesting is their discussion of the meaning of a trust boundary. They lay out three meanings:

  1. Levels of trust
  2. Assumptions of attacker capabilities
  3. Deployment information

I think there’s a 4th meaning of trust boundary, which is a trust boundary indicates separation of principals by some control, and the boundary is instantiated by the control. All of these are facets of the same thing, but that doesn’t tell us what a trust boundary is, it tells us what we mean by it or what it indicates.

Another way of saying that is the boundary is ‘the place’ where the principals interact, but consider my diagram with an API endpoint and two boundaries. From the perspective of the client, the clients are mutually mistrustful, but does the server care about that distinction? Perhaps it does – the server probably wants to keep client data segregated. The clients want the same, but after it’s crossed the boundary, by definition, that’s a matter of trust (or encryption).

So two takeaways for today: first, go read “Are Data Flow Diagrams Enough?” Second, please tell me what a trust boundary means to you.

Proper, academic citation: Laurens Sion, Koen Yskout, Dimitri Van Landuyt, Alexander van den Berghe, Wouter Joosen, Security Threat Modeling: Are Data Flow Diagrams Enough?, 1st International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS), In EEE/ACM 42nd International Conference on Software Engineering Workshops (ICSEW’20), Seoul, South Korea, May 23-29, 2020.

1 Comment on "Threat Model Thursday: Data Flow Diagrams"


  1. They start out by saying that DFDs don’t directly address all uses, and then end by saying that maybe no modeling language can address the entire spectrum of uses???
    And they justify their positions by referencing their own previous paper!! Gotta love that. 🙂
    But there are some nuggets of truth in the paper. We use the TMT tool for medical devices and as such have created a new TB7 template to more specifically address items utilized in medical devices, this specificity lowers the number of false positives that STRIDE generates as compared to more abstract constructs. (i.e. spoofing a JTAG port on a microcontroller isn’t a real vulnerability!). Anyway, to answer your question, in my domain, a trust boundary means the physical medical device.

Comments are closed.