OWASP Threat Modelling Guide

Main goal

Make threat modelling easier to use for different people within different roles.

Story

Many people know that thinking about threats is important part of securing the system we create. Most of them also heard something about the Threat Modelling practice, but they struggle to start. There are plenty of methods to perform if, but each of them have its own specifics. There is no single method to rule them all. Some are too complex for the beginners and others are focused on single domain of security.

That’s why we want to create a guideline for every technical people to help them to start with threat modelling and to choose the most effective threat modelling method for the purpose.

Supplement goals

  • Improves availability to different Threat Modelling techniques.
  • Accelerate learning of Threat Modelling techniques.
  • Support the process of choosing the most suitable method for the team.

Roadmap

  1. Create an initial list of Threat Modelling methods.
  2. Gather a team to work on this project.
  3. Add a brief description to each method.
  4. Find materials describing each method and real-world experiences with them.
  5. Reach out to industry professionals to collect case studies on the use of different Threat Modelling methods.
  6. Gather information about the conditions under which each method is most effective.
  7. Create a decision-making guide to help companies or teams select the most suitable Threat Modelling method.

Streams

  1. Threat Modelling methods collection
    • Goal: Create a comprehensive list of Threat Modelling methods and supporting tools/games
  2. In-process placement
    • Goal: List the example methods to integrate Threat Modelling with the development process
  3. Industry examples collection
    • Goal: Show how different teams work with Threat Modelling
  4. Decision Guide creation
    • Goal: Create a hand holding guide to choose the most effective Threat Modelling method for the given conditions
  5. Educational resources
    • Goal: Gather or/and create an educational resources to promote ad learn Threat Modelling

Stream ideas for the future

  • Tooling Integration & Automation
    • Goal: Explore ways to integrate threat modelling with commonly used tools and platforms
  • Templates and Reusable Artifacts
    • Goal: provide ready-to-use templates, checklists, and example outputs to make start and scale threat modelling easier.
  • Threat Modelling Maturity Model
    • Goal: Define levels of maturity in threat modelling adoption and help organizations assess and improve their practices over time.

Project phases

There we show the main goal step by step and focus points on each stage.

  1. Building Foundations
    • Gather and create a set of resources to show the variety and applicability of different Threat Modelling methods
  2. Adoption
    • Show real use cases and examples of Threat Modelling usage
    • Defining methods to evaluate Threat Modelling practicies
  3. Guide customization
    • Adapting the guide to the specifics of different roles and domains

Threat Modelling Methods

There are plenty of different threat modelling methods to choose and use.

STRIDE

source

STRIPED

source

STRIDE-LM

source

LINDDUN

source

PASTA

source

Attack Trees

source

Persona non Grata

source

Trike

source

VAST

source

OCTAVE

source

OCTAVE ALLEGRO

source

SQUARE

source

Quantitative Threat Modeling Method

source

Hybrid Threat Modeling Method

source

Security Questions

OWASP TOP 10

source

MITRE ATT&CK

source

Cyber Kill Chains

source