Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/redshiftzero/awesome-threat-modeling
a curated list of useful threat modeling resources
https://github.com/redshiftzero/awesome-threat-modeling
List: awesome-threat-modeling
risk-assessment security threat-modeling
Last synced: about 1 month ago
JSON representation
a curated list of useful threat modeling resources
- Host: GitHub
- URL: https://github.com/redshiftzero/awesome-threat-modeling
- Owner: redshiftzero
- License: apache-2.0
- Created: 2018-11-30T18:27:10.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2024-01-04T06:12:35.000Z (11 months ago)
- Last Synced: 2024-05-22T08:10:51.683Z (7 months ago)
- Topics: risk-assessment, security, threat-modeling
- Size: 13.7 KB
- Stars: 110
- Watchers: 8
- Forks: 18
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-dev-first-security - Awesome Threat Modeling
- awesome-security-collection - **24**星
- ultimate-awesome - awesome-threat-modeling - A curated list of useful threat modeling resources. (Other Lists / PowerShell Lists)
README
# awesome-threat-modeling
A curated list of useful threat modeling and risk management resources. Please feel free to contribute.# Table of Contents
1. [General](#general)
2. [Data Flow Diagrams](#data-flow-diagrams)
3. [Threat Enumeration](#threat-enumeration)
4. [Prioritization Methodologies](#prioritization-methodologies)
5. [Conference Talks](#conference-talks)
6. [Books](#books)
7. [Tools](#tools)## General
* [OWASP page on Application Threat Modeling](https://www.owasp.org/index.php/Application_Threat_Modeling)
* [OpenSAMM Threat Assessment](https://www.owasp.org/index.php/SAMM_-_Threat_Assessment_-_1)
* [Microsoft threat modeling posts](https://blogs.msdn.microsoft.com/larryosterman/2007/10/01/some-final-thoughts-on-threat-modeling/)## Data Flow Diagrams
* [Presentation (PDF) with very good introduction to DFDs](https://people.eecs.berkeley.edu/~daw/teaching/cs261-f12/hws/Introduction_to_Threat_Modeling.pdf)
* [DFD Example and explanation](https://www.cs.uct.ac.za/mit_notes/software/htmls/ch06s02.html)Good tools for generating DFDs:
* [graphviz](https://graphviz.gitlab.io/about/)
* [draw.io](https://www.draw.io/)
* [TikZ](http://www.texample.net/tikz/examples/data-flow-diagram/)## Threat Enumeration
* [STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege)](https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20))
* [Attack Trees](https://www.schneier.com/academic/archives/1999/12/attack_trees.html)## Prioritization Methodologies
* [DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability)](https://wiki.openstack.org/wiki/Security/OSSA-Metrics#DREAD)
## Conference Talks
* [Rapid Threat Modeling](https://www.youtube.com/watch?v=4zxM1KhLXvI) - Akshay Aggarwal - Blackhat USA (2005)
* Elevation of Privilege: The easy way to threat model [Part 1](https://www.youtube.com/watch?v=gZh5acJuNVg) and [Part 2](https://www.youtube.com/watch?v=uDtVBoj9VpQ) - Adam Shostack - Blackhat (2010)
* [Threat Modeling Best Practices](https://www.youtube.com/watch?v=58Qga-ergBQ) - Robert Zigweid - AppSecUSA (2010)
* [Threat Modeling: Lessons from Star Wars](https://www.youtube.com/watch?v=-2zvfevLnp4) - Adam Shostack - Brucon (2014)
* [Incremental Threat Modeling](https://www.youtube.com/watch?v=WePVoeYrhpg) - Irene Michlin - AppSecEU (2017)
* [Threat Modeling with PASTA](https://www.youtube.com/watch?v=hHIgW8ZUi4A) - Tony UcedaVelez - AppSecEU (2017)
* [Value Driven Threat Modeling](https://www.youtube.com/watch?v=3Fl_7FrM_gI) - Avi Douglen - AppSecUSA (2018)
* [Threat Modeling Toolkit](https://www.youtube.com/watch?v=KGy_KCRUGd4) - Jonathan Marcil - AppSecCali (2018)
* [Lessons From The Threat Modeling Trenches](https://www.youtube.com/watch?v=DEVt1Adybvs) - Brook Schoenfield - AppSecCali (2018)
* [Threat Model as Code](https://www.youtube.com/watch?v=fT2-JuvK428) - Abhay Bhargav - AppSecUSA (2018)
* [Threat Modeling at speed and scale](https://www.youtube.com/watch?v=5jyL-CHib54) - Stuart Winter-Tear - DevSecCon London (2018)
* [Threat Modeling: uncover vulnerabilities without looking at code](https://www.youtube.com/watch?v=Fmp9UFjPiJs) - Chris Romeo - NDC (2018)
* [Threat Modeling in 2018](https://www.youtube.com/watch?v=DMFF8zQqEVQ) - Adam Shostack - Blackhat USA (2018)
* [Threat Modeling in 2019](https://www.youtube.com/watch?v=ZoxHIpzaZ6U) - Adam Shostack - RSA Conference (2019)
* [Offensive Threat Models Against the Supply Chain](https://www.youtube.com/watch?v=J6o7YTnAqYg) - Tony UcedaVelez - AppSecCali (2019)
* [Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team](https://www.youtube.com/watch?v=VbW-X0j35gw) - Izar Tarandach - AppSecCali (2019)
* [Game On! Adding Privacy to Threat Modeling](https://www.youtube.com/watch?v=uzOdpuAhr28) - Adam Shostack, Mark Vinkovits - AppSecCali (2019)
* [Adaptive Threat Modeling](https://www.youtube.com/watch?v=YTtO_TGV2fU) - Aaron Bedra - GOTO Chicago (2017)## Books
* Shostack, [Threat Modeling: Designing for Security](https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998)
* NIST, [Guide to Data-Centric System Threat Modeling](https://csrc.nist.gov/publications/detail/sp/800-154/draft)## Tools
* [Microsoft TMT](https://docs.microsoft.com/en-us/azure/security/azure-security-threat-modeling-tool)
* [OWASP Threat Dragon](https://threatdragon.org/)
* [Mozilla Seasponge](https://github.com/mozilla/seasponge)
* [IriusRisk](https://continuumsecurity.net/threat-modeling-tool/)
* [eramba](http://www.eramba.org/)
* [Elevation of Privilege (EoP) Threat Modeling Card Game](http://www.microsoft.com/en-us/download/details.aspx?id=20303)
* [Threat Playbook](https://we45.gitbook.io/threatplaybook/)
* [pytm](https://github.com/izar/pytm)
* [ThreatSpec](https://threatspec.org/)
* [Threat Model SDK](https://github.com/stevespringett/threatmodel-sdk)
* [TaaC-AI](https://github.com/yevh/TaaC-AI)