Threat Modelling
Threat modelling session
|
|
Pick a Use Case |
- Start with one or two use cases at most
- Start with the authentication use case as well as one of the main flows of the application
|
Draw a DFD of the Use Case |
- DFD shows how data flows through the system and which apps/dbs are involved
- Draw your applications (processes), databases or other important data assets, data flows and actors
 - circle: processes (apps)
- double circle: collection of services
- open rectangles: assets (dbs, files, queues, logs, etc.)
- dotted lines: trust boundaries
|
Discuss the Security Risks |
- For each asset passing through your data flow:
- go through a checklist and discuss potential security risks
- rate each risk (e.g. by likelihood and impact)
- STRIDE
- For each risk that you find:
- list it with a reference to the element, short description, likelihood of it occurring (Low, Medium, High), impact on your system (Low, Medium, High) and proposed mitigation

|
Implement Security Controls |
- Discuss and decide what you will do about each risk
|
Diagrams
|
|
Data Flow Diagrams |
 |
Attack Trees |
- Not every type of threat maps easily to the ‘STRIDE’ model
- Attack trees offer a different way of looking at threats, which may not surface during the STRIDE questions

|
pyTM Template:
# Title
## System Description
{tm.description}
## Dataflow Diagram

## Dataflows
| Name | From | To | Data | Protocol | Port |
| ------------------------------- | -------------------- | ------------------ | ------------- | ----------------- | ----------------- |
| {dataflows:repeat:{{item.name}} | {{item.source.name}} | {{item.sink.name}} | {{item.data}} | {{item.protocol}} | {{item.dstPort}}} |
## Potential Threats
{findings:repeat:* {{item.description}} on element "{{item.target}}"}