Awesome

awesome-threat-modeling

A curated list of useful threat modeling and risk management resources. Please feel free to contribute.

Table of Contents

1. General
2. Data Flow Diagrams
3. Threat Enumeration
4. Prioritization Methodologies
5. Conference Talks
6. Books
7. Tools

General

• OWASP page on Application Threat Modeling
• OpenSAMM Threat Assessment
• Microsoft threat modeling posts

Data Flow Diagrams

• Presentation (PDF) with very good introduction to DFDs
• DFD Example and explanation

Good tools for generating DFDs:

• graphviz
• draw.io
• TikZ

Threat Enumeration

• STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege)
• Attack Trees

Prioritization Methodologies

• DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability)

Conference Talks

• Rapid Threat Modeling - Akshay Aggarwal - Blackhat USA (2005)
• Elevation of Privilege: The easy way to threat model Part 1 and Part 2 - Adam Shostack - Blackhat (2010)
• Threat Modeling Best Practices - Robert Zigweid - AppSecUSA (2010)
• Threat Modeling: Lessons from Star Wars - Adam Shostack - Brucon (2014)
• Incremental Threat Modeling - Irene Michlin - AppSecEU (2017)
• Threat Modeling with PASTA - Tony UcedaVelez - AppSecEU (2017)
• Value Driven Threat Modeling - Avi Douglen - AppSecUSA (2018)
• Threat Modeling Toolkit - Jonathan Marcil - AppSecCali (2018)
• Lessons From The Threat Modeling Trenches - Brook Schoenfield - AppSecCali (2018)
• Threat Model as Code - Abhay Bhargav - AppSecUSA (2018)
• Threat Modeling at speed and scale - Stuart Winter-Tear - DevSecCon London (2018)
• Threat Modeling: uncover vulnerabilities without looking at code - Chris Romeo - NDC (2018)
• Threat Modeling in 2018 - Adam Shostack - Blackhat USA (2018)
• Threat Modeling in 2019 - Adam Shostack - RSA Conference (2019)
• Offensive Threat Models Against the Supply Chain - Tony UcedaVelez - AppSecCali (2019)
• Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team - Izar Tarandach - AppSecCali (2019)
• Game On! Adding Privacy to Threat Modeling - Adam Shostack, Mark Vinkovits - AppSecCali (2019)
• Adaptive Threat Modeling - Aaron Bedra - GOTO Chicago (2017)

Books

• Shostack, Threat Modeling: Designing for Security
• NIST, Guide to Data-Centric System Threat Modeling

Tools

• Microsoft TMT
• OWASP Threat Dragon
• Mozilla Seasponge
• IriusRisk
• eramba
• Elevation of Privilege (EoP) Threat Modeling Card Game
• Threat Playbook
• pytm
• ThreatSpec
• Threat Model SDK
• TaaC-AI