Building Safer Systems — Threat Modeling in Practice

“Amateurs hack systems; professionals hack people — and processes.”

This post walks through a minimal, repeatable threat-modeling loop I use on most engagements.

Loop

• Scope assets and trust boundaries

• Enumerate attacker goals and capabilities

• Prioritize by exploitability × impact

• Design mitigations and validations

• Validate assumptions with quick experiments

Example: Session Confusion

# PoC to detect stray cookies across subdomains
curl -I https://app.example.com | grep -i set-cookie
curl -I https://api.example.com | grep -i set-cookie

// Check SameSite and Path quickly in the browser console
document.cookie.split(';').map(s=>s.trim()).forEach(c=>console.log(c))

If a cookie must be sent cross-site, treat it like an API key (scoped, rotated, monitored).

Checklist

• Does auth rely on origin? On path? On headers?

• Can refresh tokens be replayed across subdomains?

• How are logouts and rotations validated?

Conclusion: reduce ambient authority; explicitly scope tokens; prefer signed, narrow claims.