OWASP Threat Modelling Guide
Main goal
Make threat modelling easier to use for different people within different roles.
Story
Many people know that thinking about threats is important part of securing the system we create. Most of them also heard something about the Threat Modelling practice, but they struggle to start. There are plenty of methods to perform if, but each of them have its own specifics. There is no single method to rule them all. Some are too complex for the beginners and others are focused on single domain of security.
That’s why we want to create a guideline for every technical people to help them to start with threat modelling and to choose the most effective threat modelling method for the purpose.
Supplement goals
- Improves availability to different Threat Modelling techniques.
- Accelerate learning of Threat Modelling techniques.
- Support the process of choosing the most suitable method for the team.
Roadmap
- Create an initial list of Threat Modelling methods.
- Gather a team to work on this project.
- Add a brief description to each method.
- Find materials describing each method and real-world experiences with them.
- Reach out to industry professionals to collect case studies on the use of different Threat Modelling methods.
- Gather information about the conditions under which each method is most effective.
- Create a decision-making guide to help companies or teams select the most suitable Threat Modelling method.
Streams
- Threat Modelling methods collection
- Goal: Create a comprehensive list of Threat Modelling methods and supporting tools/games
- In-process placement
- Goal: List the example methods to integrate Threat Modelling with the development process
- Industry examples collection
- Goal: Show how different teams work with Threat Modelling
- Decision Guide creation
- Goal: Create a hand holding guide to choose the most effective Threat Modelling method for the given conditions
- Educational resources
- Goal: Gather or/and create an educational resources to promote ad learn Threat Modelling
Stream ideas for the future
- Tooling Integration & Automation
- Goal: Explore ways to integrate threat modelling with commonly used tools and platforms
- Templates and Reusable Artifacts
- Goal: provide ready-to-use templates, checklists, and example outputs to make start and scale threat modelling easier.
- Threat Modelling Maturity Model
- Goal: Define levels of maturity in threat modelling adoption and help organizations assess and improve their practices over time.
Project phases
There we show the main goal step by step and focus points on each stage.
- Building Foundations
- Gather and create a set of resources to show the variety and applicability of different Threat Modelling methods
- Adoption
- Show real use cases and examples of Threat Modelling usage
- Defining methods to evaluate Threat Modelling practicies
- Guide customization
- Adapting the guide to the specifics of different roles and domains
Threat Modelling Methods
There are plenty of different threat modelling methods to choose and use.