Module 1 provides the basics of threat modeling, starting with an introduction to the security reviewer program and progressing through various aspects of creating and applying threat models. It emphasizes the importance of data-flow diagrams, context depth, and using a framework for identifying and mitigating threats, with each resource accompanied by an estimated completion time.
| Title | Abstract | Resource | Time |
|---|---|---|---|
| Onboarding Video | Principal Program Manager, Frank Simorjay welcomes you to the Security reviewer program and provides an overview of the program. | Threat Modeling reviewer program introduction | 10 min video |
| What is threat modeling? | Threat Modeling Manifesto is a good starting place for Values, and Pricipals to consider for Security reviews, or Threat Modeling. | Threat Modeling Manifesto | 10 min |
| Introduction to threat modeling | Threat modeling is an effective way to help secure your systems, applications, networks, and services. It's an engineering technique that identifies potential threats and recommendations to help reduce risk and meet security objectives earlier in the development lifecycle. | Introduction to threat modeling - Training | Microsoft Learn | 30 min |
| Approach your data-flow diagram with the right threat model focus | Threat modeling is an effective technique to help you identify threats and ways to reduce or eliminate risk. We start by deciding to focus on either what needs to be protected or who it needs protection from. | Approach your data-flow diagram with the right threat model focus - Training | Microsoft Learn | 8 min |
| Provide context with the right depth layer | Threat models could get complex if all parties involved can't agree on a data-flow diagram depth layer that provides enough context to satisfy requirements. | Provide context with the right depth layer - Training | Microsoft Learn | 26 min |
| Create a threat model using data-flow diagram elements | Data-flow diagrams are graphical representations of your system and should specify each element, their interactions and helpful context. | Create a threat model using data-flow diagram elements - Training | Microsoft Learn | 42 min |
| Use a framework to identify threats and find ways to reduce or eliminate risk | Threat modeling helps you generate a list of potential threats using the threat modeling framework and find ways to reduce or eliminate risk with corresponding security controls. | Use a framework to identify threats and find ways to reduce or eliminate risk - Training | Microsoft Learn | 57 min |
| Prioritize your issues and apply security controls | Threat modeling provides you with a list of threats and ways to reduce or eliminate risk, but it doesn't prioritize them for you. Also, there are no layered security control recommendations based on their type and function. | Prioritize your issues and apply security controls - Training | Microsoft Learn | 14 min |
| Use recommended tools to create a data-flow diagram | You can use any canvas, physical or virtual, to create a data-flow diagram. Engineers at Microsoft recommend a few tools to help you in your threat modeling journey. | Use recommended tools to create a data-flow diagram - Training | Microsoft Learn | 18 min |
| Introduction to Threat Models | In this talk, we will show you how to assess your product against the current threat landscape and prepare for your next threat model review. You will learn how to access the tools and questionnaires that can help you identify and prioritize the most relevant security risks and mitigations for your product. | Course: Computer Systems Security | 80 min video |
| What makes a good threat model? | If you're doing your first threat model or haven't done one in a while and are asked to make one, you may wonder where and how to start. This blog attempts to give a few tips on what makes a threat model good. Having a good threat model sets the foundation for a productive threat model review meeting. | Good TM design | 15 min |