Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/redshiftzero/awesome-threat-modeling

a curated list of useful threat modeling resources
https://github.com/redshiftzero/awesome-threat-modeling

List: awesome-threat-modeling

risk-assessment security threat-modeling

Last synced: about 1 month ago
JSON representation

a curated list of useful threat modeling resources

Awesome Lists containing this project

README

        

# awesome-threat-modeling
A curated list of useful threat modeling and risk management resources. Please feel free to contribute.

# Table of Contents
1. [General](#general)
2. [Data Flow Diagrams](#data-flow-diagrams)
3. [Threat Enumeration](#threat-enumeration)
4. [Prioritization Methodologies](#prioritization-methodologies)
5. [Conference Talks](#conference-talks)
6. [Books](#books)
7. [Tools](#tools)

## General

* [OWASP page on Application Threat Modeling](https://www.owasp.org/index.php/Application_Threat_Modeling)
* [OpenSAMM Threat Assessment](https://www.owasp.org/index.php/SAMM_-_Threat_Assessment_-_1)
* [Microsoft threat modeling posts](https://blogs.msdn.microsoft.com/larryosterman/2007/10/01/some-final-thoughts-on-threat-modeling/)

## Data Flow Diagrams

* [Presentation (PDF) with very good introduction to DFDs](https://people.eecs.berkeley.edu/~daw/teaching/cs261-f12/hws/Introduction_to_Threat_Modeling.pdf)
* [DFD Example and explanation](https://www.cs.uct.ac.za/mit_notes/software/htmls/ch06s02.html)

Good tools for generating DFDs:

* [graphviz](https://graphviz.gitlab.io/about/)
* [draw.io](https://www.draw.io/)
* [TikZ](http://www.texample.net/tikz/examples/data-flow-diagram/)

## Threat Enumeration

* [STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege)](https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20))
* [Attack Trees](https://www.schneier.com/academic/archives/1999/12/attack_trees.html)

## Prioritization Methodologies

* [DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability)](https://wiki.openstack.org/wiki/Security/OSSA-Metrics#DREAD)

## Conference Talks
* [Rapid Threat Modeling](https://www.youtube.com/watch?v=4zxM1KhLXvI) - Akshay Aggarwal - Blackhat USA (2005)
* Elevation of Privilege: The easy way to threat model [Part 1](https://www.youtube.com/watch?v=gZh5acJuNVg) and [Part 2](https://www.youtube.com/watch?v=uDtVBoj9VpQ) - Adam Shostack - Blackhat (2010)
* [Threat Modeling Best Practices](https://www.youtube.com/watch?v=58Qga-ergBQ) - Robert Zigweid - AppSecUSA (2010)
* [Threat Modeling: Lessons from Star Wars](https://www.youtube.com/watch?v=-2zvfevLnp4) - Adam Shostack - Brucon (2014)
* [Incremental Threat Modeling](https://www.youtube.com/watch?v=WePVoeYrhpg) - Irene Michlin - AppSecEU (2017)
* [Threat Modeling with PASTA](https://www.youtube.com/watch?v=hHIgW8ZUi4A) - Tony UcedaVelez - AppSecEU (2017)
* [Value Driven Threat Modeling](https://www.youtube.com/watch?v=3Fl_7FrM_gI) - Avi Douglen - AppSecUSA (2018)
* [Threat Modeling Toolkit](https://www.youtube.com/watch?v=KGy_KCRUGd4) - Jonathan Marcil - AppSecCali (2018)
* [Lessons From The Threat Modeling Trenches](https://www.youtube.com/watch?v=DEVt1Adybvs) - Brook Schoenfield - AppSecCali (2018)
* [Threat Model as Code](https://www.youtube.com/watch?v=fT2-JuvK428) - Abhay Bhargav - AppSecUSA (2018)
* [Threat Modeling at speed and scale](https://www.youtube.com/watch?v=5jyL-CHib54) - Stuart Winter-Tear - DevSecCon London (2018)
* [Threat Modeling: uncover vulnerabilities without looking at code](https://www.youtube.com/watch?v=Fmp9UFjPiJs) - Chris Romeo - NDC (2018)
* [Threat Modeling in 2018](https://www.youtube.com/watch?v=DMFF8zQqEVQ) - Adam Shostack - Blackhat USA (2018)
* [Threat Modeling in 2019](https://www.youtube.com/watch?v=ZoxHIpzaZ6U) - Adam Shostack - RSA Conference (2019)
* [Offensive Threat Models Against the Supply Chain](https://www.youtube.com/watch?v=J6o7YTnAqYg) - Tony UcedaVelez - AppSecCali (2019)
* [Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team](https://www.youtube.com/watch?v=VbW-X0j35gw) - Izar Tarandach - AppSecCali (2019)
* [Game On! Adding Privacy to Threat Modeling](https://www.youtube.com/watch?v=uzOdpuAhr28) - Adam Shostack, Mark Vinkovits - AppSecCali (2019)
* [Adaptive Threat Modeling](https://www.youtube.com/watch?v=YTtO_TGV2fU) - Aaron Bedra - GOTO Chicago (2017)

## Books

* Shostack, [Threat Modeling: Designing for Security](https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998)
* NIST, [Guide to Data-Centric System Threat Modeling](https://csrc.nist.gov/publications/detail/sp/800-154/draft)

## Tools

* [Microsoft TMT](https://docs.microsoft.com/en-us/azure/security/azure-security-threat-modeling-tool)
* [OWASP Threat Dragon](https://threatdragon.org/)
* [Mozilla Seasponge](https://github.com/mozilla/seasponge)
* [IriusRisk](https://continuumsecurity.net/threat-modeling-tool/)
* [eramba](http://www.eramba.org/)
* [Elevation of Privilege (EoP) Threat Modeling Card Game](http://www.microsoft.com/en-us/download/details.aspx?id=20303)
* [Threat Playbook](https://we45.gitbook.io/threatplaybook/)
* [pytm](https://github.com/izar/pytm)
* [ThreatSpec](https://threatspec.org/)
* [Threat Model SDK](https://github.com/stevespringett/threatmodel-sdk)
* [TaaC-AI](https://github.com/yevh/TaaC-AI)