Welcome back to the 8th sprint of OneHourAppSec.
After a few sprints talking about the software we inherit from others, it’s time to go back to why we become engineers – the software and solutions we design ourselves.
Building a solution that solves a real-world problem is profoundly satisfying, but as engineers, we are wired to focus on the regular usage of these designs. We are happiest when working with our decisions’ expected behaviors and outcomes. Threat modeling is the process by which we step outside of our comfort zone and consider how our systems can be used in different ways, often with malicious or unexpected intent.
Our goals for this sprint:
- To understand the basics of threat modeling and why it’s a helpful tool when designing secure software
- To carry out our first threat model and plan to consider the rest of our systems.
So without further ado, let’s get into it 👏
📽️ [VIDEO] Introducing Sprint 8 (3 minutes)
Welcome to Sprint 8 and the fun world of threat modeling.
📽️ [Free Course] Adam Shostack’s World Shortest Threat Modeling Course (20 minutes)
Adam is a leading expert on threat modeling and a consultant, entrepreneur, technologist, author, and game designer. He’s a member of the BlackHat Review Board and helped create the CVE and many other things.
He produced an epically effective, concise course to get you started on Threat Modeling, and you should check it out.
📑 Get Started with Threat Modeling (25 minutes)
The best way to get started with Threat Modeling is to have a go! Either choose a small, simple system from your world.
Aim to answer the following questions:
- Who would want to misuse or benefit from this system?
- What is their motivation?
- What might they do (how would they behave in your system)?
- What would the impact be for your organization?
- What can you do to prevent or detect that happening?
📚 Open Source Threat Modeling Resources (10 minutes)
Rather than reinvent the wheel, in this sprint, we are sharing a range of great free resources that you can use to go deeper on this subject. Check them out!
Free OWASP Threat Modeling Tool: https://owasp.org/www-project-threat-dragon/
Threat Model Examples: https://github.com/OWASP/threat-model-cookbook
Microsoft Stride: https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats