When teaching about Threat Models, the most common question I get is 'How do I start?'.To make this process easier, I usually recommend to use the simple '1 page Threat Model' which you can see on the right ( download here)
The idea is to kickstart the process by mapping out the:
- Data Flow Diagrams (i.e app architecture)
- Entry Points (i.e Attack surface)
- Assets (i.e. what is valuable and needs to be protected)
- External Dependencies and Trust Levels
- Threats(edited)
Another great source of (first steps on Threat Modelling) resources are the Microsofts' At a Glance: Web Application Threat Modeling and OWASP's Application Threat Modeling pages
