Threat Modeling and tools
Threat modeling is analyzing representations of a system to highlight concerns about security and privacy characteristics.
At the highest levels, when we threat model, we ask four key questions:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
-
What are we working on?
- create project
- create trusted zone
- add all component to zone
- add data flow between component
-
What can go wrong?
- find all threats manual
- we can use iriusrisk for automation find threat
-
What are we going to do about it?
- review weakness
- find countermeasures
-
Did we do a good enough job?
- upload issuse to jira
- use iriusrisk to synk issue with azure devops
by default all countermeasures type is :recommended we can user security standard like OWASP & NIST to change status to required
recommended -> required -> implemented
Tools which helps in threat modelling.
- OWASP Threat Dragon - An online threat modelling web application including system diagramming and a rule engine to auto-generate threats/mitigations.
- drawio-threatmodeling - A collection of custom libraries to turn the free and cross-platform Draw.io diagramming application into the perfect tool for threat modeling.
- Irius risk - Iriusrisk is a threat modeling tool with an adaptive questionnaire driven by an expert system which guides the user through straight forward questions about the technical architecture, the planned features and security context of the application.