Identify privacy threats in software systems
LINDDUN
PRIVACY THREAT MODELING
New: Enhanced LINDDUN GO
With the redesigned LINDDUN GO threat cards, navigating the privacy threat analysis process has never been more effective.
A framework for
privacy threat modeling
LINDDUN is a recognized privacy threat modeling framework, developed by privacy experts at KU Leuven. It offers mature support to identify and mitigate privacy threats early in the development lifecycle. Adopting LINDDUN can therefore help build privacy into the system’s core.
Privacy is increasingly important, yet often misunderstood. It revolves around the key LINDDUN privacy threat types of Linking, Identifying, Non-repudiation, Detecting, Data Disclosure, Unawareness, Non-compliance.
Put your trust in LINDDUN to guide you through the privacy analysis of your system. Benefit from LINDDUN’s extensive support: its privacy threat types, threat trees, and methods.
Free privacy threat modeling approach
Systematic and proven method
Extensive privacy knowledge support
During design and development
Beyond checkbox compliance
Multiple LINDDUN flavors: from lean to in-depth
why use linddun?
LINDDUN supports a rich set of privacy threats
The LINDDUN framework provides a rich catalog of privacy-specific threat types to investigate a wide range of complex privacy design issues. Together, the types Linking, Identifying, Non-repudiation, Detecting, Data Disclosure, Unawareness, and Non-compliance, form the acronym LINDDUN.
LINDDUN investigates the privacy posture of YOUR system
What is great about LINDDUN is that you can apply it to an actual software system for a thorough investigation. Adopting LINDDUN throughout the software design phase, helps you to uncover and fix relevant privacy gaps.
LINDDUN is a practical method
LINDDUN offers systematic but practical approaches to help you assess the privacy posture of your software system. Its outcome reflects how mature your system is regarding privacy concerns, exposes the remaining privacy gaps, and points to relevant privacy enhancing techniques and countermeasures.
LINDDUN aligns with the GDPR's privacy-by-design
LINDDUN’s threat-based method complements the purely legal analysis of GDPR by zooming in on privacy threats in the system’s architecture from a more technical angle. It contributes to your compliance efforts by supporting the technical implementation of privacy-by-design.
LINDDUN is compatible with STRIDE
Teams already familiar with security threat modeling approaches such as STRIDE, will find it easy to adopt LINDDUN, as it follows the same principles. As privacy and security threat modeling have much in common and require the same system model as a starting point, it is possible to perform both in parallel, increasing your return on investment.
LINDDUN supports threat mitigation
After using LINDDUN to identify privacy flaws in your software system, you need to find ways to remediate them. To do this, LINDDUN offers support in the form of mitigation strategies and a catalog of privacy enhancing technologies (PETs). For each privacy threat, LINDDUN offers a suitable mitigation strategy, and links this to relevant technical solutions.
GO - PRO - MAESTRO
To serve different needs, LINDDUN comes in various flavors. These approaches vary in complexity and comprehensiveness, ranging from lean to in-depth analysis. Choose the method that best fits your needs!
Acknowledged threat modeling approach
The LINDDUN privacy threat methodology was first published by KU Leuven in 2010 and has greatly improved since then. It has been widely used and acknowledged by various authorities.
Privacy by Design
In our technology-driven world, where information is increasingly shared, privacy is often at risk. There’s a growing understanding that privacy is best protected when it’s built into the core of our systems, services, and business processes. Privacy-by-design ensures that privacy features are directly embedded into the design at an early stage, and not bolted on afterwards.
get started with privacy threat modeling!
Let LINDDUN help you investigate your system architecture for privacy threats.
LINDDUN
GO
LINDDUN
PRO
LINDDUN
MAESTRO
LINDDUN GO takes on a lean, cross-team approach in finding privacy issues. GO comes in the form of a card deck representing the most common privacy threats, with the key hotspots to look for in your system. These self-contained cards will guide you through the privacy assessment.
Best performed in a structured brainstorming setting with a diverse team of privacy enthusiasts.
LINDDUN PRO takes on a systematic and exhaustive approach in finding privacy issues. Starting point is a DFD system abstraction, where you focus on all interactions between DFD elements and investigate potential privacy threats. Available knowledge support: privacy threat types, privacy threat trees, mapping table.
PRO allows you to leverage tooling to automate your analysis activities.
LINDDUN MAESTRO takes on a systematic and exhaustive approach in finding privacy issues by leveraging an enriched system description to enable more precise threat elicitation. Starting point is a threat-specific system abstraction, to support the advanced analysis for threats of that particular type.
More info coming soon.
WHAT IS THREAT MODELING?
When threat modeling, we ask 4 basic questions*:
1. What are we working on?
Before you can think about what can go wrong, you need to understand the system under analysis. Start with creating a model of the system, i.e. a representation of the system’s key elements.
2. What can go wrong?
Analyze the system model to identify potential privacy threats.
This is where LINDDUN provides help, with its threat types, trees, elicitation methods, and more.
3. What are we going to do about it?
Now you need to tackle the identified privacy threats: prioritize them by assessing the risks and address the threats.
4. Did we do a good job?
Reflect on your work: reiterate and refine if needed.
* The Threat Modeling Manifesto summarizes the principles and values of threat modeling