Friday 4 March 2016

Simple Threat Model (template) - Good place to start

When teaching about Threat Models, the most common question I get is 'How do I start?'.

To make this process easier, I usually recommend to use the simple '1 page Threat Model' which you can see on the right ( download here)

The idea is to kickstart the process by mapping out the:

  1. Data Flow Diagrams (i.e app architecture)
  2. Entry Points (i.e Attack surface)
  3. Assets (i.e. what is valuable and needs to be protected)
  4. External Dependencies and Trust Levels
  5. Threats(edited)
Another great source of (first steps on Threat Modelling) resources are the Microsofts' At a Glance: Web Application Threat Modeling and OWASP's Application Threat Modeling pages