Threat Modeling is often considered a key activity in the SDL (Secure Development Lifecycle). Threat modeling is a family of activities for improving security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. A threat is a potential or actual undesirable event that may be malicious (such as DoS attack) or incidental (failure of a Storage Device). Threat modeling is a planned activity for identifying and assessing application threats and vulnerabilities.
Feel free to use the following poster in your threat modeling sessions.
(c) Marlene Herr
A more detailed step-by-step guide is soon to come.
Visualize the system architecture together with the team. You can prepare the big picture beforehand but we've experienced that you should always talk about it together with the team to make sure no connections to sorrounding systems are missed.
Specify the assets that the system posesses and the actors who use the system.
In this step you should clarify whether the connection is trusted (green) or not trusted (red). See the illustration at step 1 and 3.
Identify threats based on the steps before. Specify them as a evil user story:
As actor i am doing attack to damage asset
Try to be as specific as possible. Only then you can prioritize and mitigate the threat. A user story like
As an attacker i ddos the service
Is to broad and very hard to find a specific countermeasure for.
Priorization is an important step to make sure you only spend time on discussing the most relevant threats. The prioritization criteria will be added and explained soon.
Based on the most critical criteria you should find a mitigation to lower the risk. For example, if the most critical behaviour is the discover & response criteria, your main goal should be to get better in discovery/monitoring and responding to that threat.
The biggest part of next steps is the documentation and also implementation of your countermeasures.