Question 1

How to start threat modeling for a small team?

Accepted Answer

Begin with the General section for foundational resources like OWASP's Application Threat Modeling page, then use tools from the Tools section such as draw.io for diagrams and STRIDE for threat enumeration. The list provides a structured way to pick methodologies and tools suited to your scale.

Question 2

What's the difference between STRIDE and DREAD?

Accepted Answer

STRIDE is a threat enumeration framework focusing on categories like Spoofing and Tampering, while DREAD is a risk prioritization methodology based on factors like Damage and Exploitability. Both are detailed in the Threat Enumeration and Prioritization Methodologies sections with links to Microsoft and OpenStack resources.

Question 3

Best open-source threat modeling tools?

Accepted Answer

The Tools section lists several open-source options, including OWASP Threat Dragon for diagram-based modeling and pytm for code-driven approaches. These are cost-effective choices for teams wanting to avoid commercial software licenses.

Question 4

How to integrate threat modeling into agile development?

Accepted Answer

Look at resources like the 'Threat Model Every Story' conference talk and tools such as ThreatSpec or pytm, which support automation and can be incorporated into CI/CD pipelines. The list provides pointers to adapt threat modeling for iterative workflows.

Question 5

Are there any free courses on threat modeling?

Accepted Answer

While not courses per se, the Conference Talks section includes numerous free videos from events like Blackhat and AppSec, covering topics from basics to advanced practices, which can serve as educational material.

Question 6

Threat modeling or risk assessment: which comes first?

Accepted Answer

Threat modeling typically identifies potential threats early in design, while risk assessment evaluates their impact; they're often done iteratively. The resources cover both, with methodologies like DREAD for prioritization to help integrate them effectively.

Awesome Threat Modeling

What is Awesome Threat Modeling?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions