Threat model guide

Track: Threat Model
When: Thu PM-1
Where: Kings
Organizers Steven Wierckx Steven Wierckx
Participants Adam Shostack Adam Shostack , Aurelijus Stanislovaitis Aurelijus Stanislovaitis , Fraser Scott Fraser Scott , Sara Davis Sara Davis , Stuart Winter-Tear Stuart Winter-Tear , Tash Norris Tash Norris

WHY

People are clueless on how to start with threat modeling. I propos we create a guide i the style of ASVS where we show in different levels what the steps are that can be done for threat modeling depending on the need and/or maturity of the organisation.

What

A guide with some levels such as: level 0: you are not doing TM or something ad hoc level 1: you are answering some of the 4 questions but not in a structured way level 2: you do a full 4 question TM for one product level 3: you intregated the full TM in the SDLC and vary the amount/level of the TM according to the risk appetite of that application/system/product

Outcomes

The table of contents for the guide and some content.

References

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

Register as participant

To register as participant add Threat model guide to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page


Back to list of all Working Sessions