Sprint #8: Get Playful with Threat Modeling

Welcome back to the 8th sprint of OneHourAppSec. 

After a few sprints talking about the software we inherit from others, it’s time to go back to why we become engineers – the software and solutions we design ourselves.

Building a solution that solves a real-world problem is profoundly satisfying, but as engineers, we are wired to focus on the regular usage of these designs. We are happiest when working with our decisions’ expected behaviors and outcomes. Threat modeling is the process by which we step outside of our comfort zone and consider how our systems can be used in different ways, often with malicious or unexpected intent.

Our goals for this sprint:

  • To understand the basics of threat modeling and why it’s a helpful tool when designing secure software
  • To carry out our first threat model and plan to consider the rest of our systems.

So without further ado, let’s get into it 👏


📽️ [VIDEO] Introducing Sprint 8 (3 minutes)

Welcome to Sprint 8 and the fun world of threat modeling.

📽️ [Free Course] Adam Shostack’s World Shortest Threat Modeling Course (20 minutes)

Adam is a leading expert on threat modeling and a consultant, entrepreneur, technologist, author, and game designer. He’s a member of the BlackHat Review Board and helped create the CVE and many other things. 

He produced an epically effective, concise course to get you started on Threat Modeling, and you should check it out.

📑 Get Started with Threat Modeling (25 minutes)

The best way to get started with Threat Modeling is to have a go! Either choose a small, simple system from your world.

Aim to answer the following questions:

  • Who would want to misuse or benefit from this system?
  • What is their motivation?
  • What might they do (how would they behave in your system)?
  • What would the impact be for your organization?
  • What can you do to prevent or detect that happening?

📚 Open Source Threat Modeling Resources (10 minutes)

Rather than reinvent the wheel, in this sprint, we are sharing a range of great free resources that you can use to go deeper on this subject. Check them out!

Free OWASP Threat Modeling Tool: https://owasp.org/www-project-threat-dragon/

Threat Model Examples: https://github.com/OWASP/threat-model-cookbook

Microsoft Stride: https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats

Share the Post:


More Posts

Sprint #7: Getting on with an SBOM

This sprint, we’re going to build an artifact to support the work we did in sprints five and six. In the last two sprints, we looked at how we choose technologies to integrate into our software. In this sprint, we will learn about a common way to communicate this list of technologies – the SBOM (or Software Bill of Materials). Increasingly required for regulation, compliance, and even to sell to larger organizations, your SBOM may end up being more important than you realize.

Start your free trial today

Sign up for a 14-day trial of our team plan and invite your whole team. 

No credit card required.