Internet-based services, like cloud applications, increasingly become the target of cyber attacks. These attacks can range from data breaches of personal information to loss of data or severe financial damages. As a result, cybersecurity is a top priority for providers and users of these services. The networking layer plays a critical role in achieving security. Traditionally network functions that secure communications (for example firewalls or traffic encryption) are dedicated hardware appliances. Network function virtualization (NFV) is an emerging network architecture concept that utilizes virtualization to execute software implementations of network functions on standard IT infrastructure. Virtual Network Functions (VNFs) therefore become virtual software components that are usable in conjunction with conventional cloud application components. The Topology and Orchestration Specification for Cloud Applications (TOSCA) is an OASIS standard to describe and manage cloud applications. A recent addition to the standard explicitly targets NFV based topologies. However, the standard does not make any assumptions on potential security problems and how to achieve enhanced security. This thesis proposes a TOSCA based modeling concept to establish a connection between security threats of application topologies and VNFs that can mitigate these threats. The industry standard practice of threat modeling using the STRIDE method is employed to assess threats in application topologies. Based on present threats and available VNFs, automated recommendations can be made which VNFs should be used to enhance the security of cloud applications. A prototypical implementation in the context of Eclipse Winery, a modeling tool for TOSCA definitions, is used to validate the approach.