Brainstorming Potential Threats

With assets identified, shift perspective to think like an attacker. What would you target? How would you attempt to compromise each asset? This creative process, often called "evil brainstorming," generates a list of potential threats to evaluate. Don't self-censor during brainstorming—capture all ideas, even those that seem unlikely or difficult to execute.

Start with common attack patterns. Could an attacker use SQL injection to access your database? Might cross-site scripting (XSS) allow session hijacking? Could weak passwords enable unauthorized access? These well-known attacks remain effective because they exploit common vulnerabilities. Apply each pattern to your system components and data flows, noting where they might succeed.

Consider insider threats and accidents alongside external attacks. Could a disgruntled employee delete critical data? Might a well-meaning administrator accidentally expose sensitive information? Would a lost laptop containing cached data create risks? These scenarios often receive less attention than external attacks but can cause equal or greater damage.

Think about business logic attacks specific to your application. In an e-commerce system, could someone manipulate prices during checkout? Might concurrent transactions create race conditions allowing double-spending? Could session management flaws allow one user to access another's account? These application-specific threats require understanding your system's unique functionality and potential abuse cases.