This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Threat Modeling Cheat Sheet
From OWASP
Last revision (mm/dd/yy): 04/12/2016
DRAFT CHEAT SHEET - WORK IN PROGRESSIntroductionThe objective of this cheat sheet is to provide guidance to developers, reviewers, designers and architects on conducting successful threat modeling. The main goal of threat modeling is to understand the controls needed for a software system. This is a complex endeavor that will involve investigations into:
Define The Target Of EvaluationCreate a logical map of the Target of EvaluationCreate a physical map of the Target of EvaluationIdentify the Assets within the physical and logical Targets of EvaluationDefine The AttackersIdentify Possible Attackers that could exist within the Target Of Evaluation
Select the most dangerous Attacker in your Target Of EvaluationConduct the Threat Model
Enumerate Threats posed by most dangerous Attacker in Target of EvaluationEnumerate Threats posed by most dangerous attacker in designated areas of the physical & logical Maps of the Target of Evaluation
Enumerate Attacks posed by most dangerous attacker in designated areas of the logical and physical maps of the target of evaluation
- Application Decomposition - Attack Tree - Vulnerability/Exploit Mapping - Application Testing create risks in risk log for every identified threat or attack to any assetsrank risks using risk matrix from most severe to least severeIdentify risk ownersRemediation/CountermeasuresAgree on risk mitigation with risk owners and stakeholders
Treat risks accordinglyTest risk treatment to verify remediationReduce risk in risk log for verified treated riskPeriodically retest riskAuthors and Primary EditorsTODO Other Cheatsheets |