threatmodel.md

Threat Modeling & Risk Assessment

Table of Contents

Threat Modeling

• Threat Modeling Book

• OWASP App Threat Modeling

• Evil User Stories

• OWASP ASVS

• Mozilla Rapid Risk Assessment

• https://www.turnkeyconsulting.com/information-security-risk-assessment

  • https://www.isaca.org/Journal/archives/2010/Volume-1/Pages/Performing-a-Security-Risk-Assessment1.aspx

• Application Threat Modeling using DREAD and STRIDE - Haider Mahmood

• Dark Matter and Measuring Security - Crispin Cowan https://web.archive.org/web/20141118061526/http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf

• ThreatPlaybook

  • A unified DevSecOps Framework that allows you to go from iterative, collaborative Threat Modeling to Application Security Test Orchestration
  • Homepage

• Threat Modeling: 12 Available Methods - Nataliya Shevchenko

• Draw.io for threat modeling - Michael Henriksen https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html

• The Security Principles of Saltzer and Schroeder - Adam Shostack & Friends

• Towards Improving CVSS - J.M. Spring, E. Hatleback, A. Householder, A. Manion, D. Shick - CMU

http://plantuml.com/

---

Threat Modeling

• Articles/Papers/Writeups
  • Statement for the Record Worldwide Threat Assessment of the US Intelligence Community Senate Select Committee on Intelligence
  • Why your threat model is probably wrong - Cyberwar
  • 7 Steps to Threat Modeling
• Talks & Presentations
  • The Triple A Threat: Aggressive Autonomous Agents - the grugq
  • A Hacker's Guide to Risk
  • Global Adversarial Capability Modeling
  • Adam Shostack - Pentesting: Lessons from Star Wars
    • Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven’t panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It’s designed to help security pros, especially pen testers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively on offense or defense.
  • Threat Modeling - Jim DelGrosso
  • Threat Modeling 101 - Dan Tentler
• Threat Modeling Methodologies
  • OCTAVE
  • PASTA
  • STRIDE
    • STRIDE (security) - Wikipedia
      • STRIDE is a model of threats developed by Praerit Garg and Loren Kohnfelder at Microsoft for identifying computer security threats. It provides a mnemonic for security threats in six categories.
    • Guerrilla Threat Modelling (or 'Threat Modeling' if you're American)
  • TRIKE
  • VAST
• Tools
  • seasponge - Mozilla Project
    • Accessible and client-side threat modeling tool
    • GIFs demonstrating usageOn Comparing Threat Intelligence Feeds
  • ThreadFix
    • ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.
  • ThreadFix
    • ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.