Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/redshiftzero/awesome-threat-modeling

a curated list of useful threat modeling resources
https://github.com/redshiftzero/awesome-threat-modeling

List: awesome-threat-modeling

risk-assessment security threat-modeling

Last synced: 3 months ago
JSON representation

a curated list of useful threat modeling resources

Awesome Lists containing this project

README 

        
# awesome-threat-modeling

A curated list of useful threat modeling and risk management resources. Please feel free to contribute.



# Table of Contents

1. [General](#general)

2. [Data Flow Diagrams](#data-flow-diagrams)

3. [Threat Enumeration](#threat-enumeration)

4. [Prioritization Methodologies](#prioritization-methodologies)

5. [Conference Talks](#conference-talks)

6. [Books](#books)

7. [Tools](#tools)



## General



* [OWASP page on Application Threat Modeling](https://www.owasp.org/index.php/Application_Threat_Modeling)

* [OpenSAMM Threat Assessment](https://www.owasp.org/index.php/SAMM_-_Threat_Assessment_-_1)

* [Microsoft threat modeling posts](https://blogs.msdn.microsoft.com/larryosterman/2007/10/01/some-final-thoughts-on-threat-modeling/)



## Data Flow Diagrams



* [Presentation (PDF) with very good introduction to DFDs](https://people.eecs.berkeley.edu/~daw/teaching/cs261-f12/hws/Introduction_to_Threat_Modeling.pdf)

* [DFD Example and explanation](https://www.cs.uct.ac.za/mit_notes/software/htmls/ch06s02.html)



Good tools for generating DFDs:



* [graphviz](https://graphviz.gitlab.io/about/)

* [draw.io](https://www.draw.io/)

* [TikZ](http://www.texample.net/tikz/examples/data-flow-diagram/)



## Threat Enumeration



* [STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege)](https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20))

* [Attack Trees](https://www.schneier.com/academic/archives/1999/12/attack_trees.html)



## Prioritization Methodologies



* [DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability)](https://wiki.openstack.org/wiki/Security/OSSA-Metrics#DREAD)



## Conference Talks

* [Rapid Threat Modeling](https://www.youtube.com/watch?v=4zxM1KhLXvI) - Akshay Aggarwal - Blackhat USA (2005)

* Elevation of Privilege: The easy way to threat model [Part 1](https://www.youtube.com/watch?v=gZh5acJuNVg) and [Part 2](https://www.youtube.com/watch?v=uDtVBoj9VpQ) - Adam Shostack - Blackhat (2010)

* [Threat Modeling Best Practices](https://www.youtube.com/watch?v=58Qga-ergBQ) - Robert Zigweid - AppSecUSA (2010)

* [Threat Modeling: Lessons from Star Wars](https://www.youtube.com/watch?v=-2zvfevLnp4) - Adam Shostack - Brucon (2014)

* [Incremental Threat Modeling](https://www.youtube.com/watch?v=WePVoeYrhpg) -  Irene Michlin - AppSecEU (2017)

* [Threat Modeling with PASTA](https://www.youtube.com/watch?v=hHIgW8ZUi4A) - Tony UcedaVelez - AppSecEU (2017)

* [Value Driven Threat Modeling](https://www.youtube.com/watch?v=3Fl_7FrM_gI) - Avi Douglen - AppSecUSA (2018)

* [Threat Modeling Toolkit](https://www.youtube.com/watch?v=KGy_KCRUGd4) - Jonathan Marcil - AppSecCali (2018)

* [Lessons From The Threat Modeling Trenches](https://www.youtube.com/watch?v=DEVt1Adybvs) - Brook Schoenfield - AppSecCali (2018)

* [Threat Model as Code](https://www.youtube.com/watch?v=fT2-JuvK428) - Abhay Bhargav - AppSecUSA (2018)

* [Threat Modeling at speed and scale](https://www.youtube.com/watch?v=5jyL-CHib54) - Stuart Winter-Tear - DevSecCon London (2018)

* [Threat Modeling: uncover vulnerabilities without looking at code](https://www.youtube.com/watch?v=Fmp9UFjPiJs) - Chris Romeo - NDC (2018)

* [Threat Modeling in 2018](https://www.youtube.com/watch?v=DMFF8zQqEVQ) - Adam Shostack - Blackhat USA (2018)

* [Threat Modeling in 2019](https://www.youtube.com/watch?v=ZoxHIpzaZ6U) - Adam Shostack - RSA Conference (2019)

* [Offensive Threat Models Against the Supply Chain](https://www.youtube.com/watch?v=J6o7YTnAqYg) - Tony UcedaVelez - AppSecCali (2019)

* [Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team](https://www.youtube.com/watch?v=VbW-X0j35gw) - Izar Tarandach - AppSecCali (2019)

* [Game On! Adding Privacy to Threat Modeling](https://www.youtube.com/watch?v=uzOdpuAhr28) - Adam Shostack, Mark Vinkovits - AppSecCali (2019)

* [Adaptive Threat Modeling](https://www.youtube.com/watch?v=YTtO_TGV2fU) - Aaron Bedra - GOTO Chicago (2017)



## Books



* Shostack, [Threat Modeling: Designing for Security](https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998)

* NIST, [Guide to Data-Centric System Threat Modeling](https://csrc.nist.gov/publications/detail/sp/800-154/draft)



## Tools



* [Microsoft TMT](https://docs.microsoft.com/en-us/azure/security/azure-security-threat-modeling-tool)

* [OWASP Threat Dragon](https://threatdragon.org/)

* [Mozilla Seasponge](https://github.com/mozilla/seasponge)

* [IriusRisk](https://continuumsecurity.net/threat-modeling-tool/)

* [eramba](http://www.eramba.org/)

* [Elevation of Privilege (EoP) Threat Modeling Card Game](http://www.microsoft.com/en-us/download/details.aspx?id=20303)

* [Threat Playbook](https://we45.gitbook.io/threatplaybook/)

* [pytm](https://github.com/izar/pytm)

* [ThreatSpec](https://threatspec.org/)

* [Threat Model SDK](https://github.com/stevespringett/threatmodel-sdk)

* [TaaC-AI](https://github.com/yevh/TaaC-AI)