Threat Modeling

It's absolutely necessary if you're serious about security.

Whitepapers/Books/Blogs

• Threat Modeling for ASP.NET (PDF) - an excellent white paper from Rüdiger Grimm and Henrik Eichstädt from the University of Kent
• Threat Modeling book from MSPress - "In this straightforward and practical guide, Microsoft application security specialists Frank Swiderski and Window Snyder describe the concepts and goals for threat modeling—a structured approach for identifying, evaluating, and mitigating risks to system security."
• Chapter 3 of Improving Web Application Security from Patterns up and Practices - A six-step threat modeling process. 
• High-Level Threat Modelling Process - Short blog post on Threat Modelling from Peter Torr.
• Threat Modeling Web Applications - patterns & practices Library
  This guidance presents the patterns & practices approach to creating threat models for Web applications. Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk.

How To

• How To: Create a Threat Model for a Web Application at Design Time

Tools

• Microsoft Threat Modelling Tool - "The Threat Modeling Tool allows users to create threat model documents for applications. It organizes relevant data points, such as entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities into an easy-to-use tree-based view. The tool saves the document as XML, and will export to HTML and MHT using the included XSLTs, or a custom transform supplied by the user. The Threat Modeling Tool was built by Microsoft Security Software Engineer Frank Swiderski, the author of Threat Modeling (Microsoft Press, June 2004)."

Enjoy!

You must Login to comment.