An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about Threat Modeling in Cybersecurity.
Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.
Threat Modeling is one of the most essential - and most misunderstood - parts of the development life cycle. Whether you're a security practitioner or a member of a development team, this guide will help you gain a better understanding of how you can apply core threat modeling concepts to your practice to protect your systems against threats.
That is analyzing a system to look for weaknesses that come from less-desirable design choices.
That is to identify these weaknesses before they are baked into the system (as a result of implementation or deployment) so you can take corrective action as early as possible.
A conceptual exercise that aims to help you understand which characteristics of a system’s design should be modified to reduce risk in the system to an acceptable level for its owners, users, and operators.
When performing threat modeling, you look at a system as a collection of its components and their interactions with the world outside the system (like other systems it interacts with) and the actors that may perform actions on these systems. Then you try to imagine how these components and interactions may fail or be made to fail. From this process, you’ll identify threats to the system, which will in turn lead to changes and modifications to the system. The result is a system that can resist the threats you imagined.
- Introduction
- Fundamentals
- Books
- Courses
- Videos
- Tutorials and Blogs
- Threat Model examples
- Tools
- Sponsor
Books on threat modeling.
-
Securing Systems: Applied Security Architecture and Threat Models
-
Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis
Courses/Training videos on threat modeling.
-
Rapid Threat Model Prototyping (RTMP) - Methodology to create quick threat models (1) add threat metadata describing the threats and mitigations directly to software diagrams using 11 simple and repeatable steps (2) integrate these steps into Agile workstreams (3) how to best use the outputs of a threat model (Threats & Mitigations)
-
Threat Modeling the Right Way for Builders Workshop - AWS Skill Builder threat modeling workshop. Requires AWS Skill Builder Login (free).
-
Certified Threat Modeling Professional by Practical DevSecOps
-
CyberSec First Responder: Threat Detection & Response CFR210
Videos talking about Threat modeling.
-
Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team
-
An Agile Approach to Threat Modeling for Securing Open Source Project EdgeX Foundry
Tutorials and blogs that explain threat modeling
-
DevSecOps, Threat Modeling and You: Get started using the STRIDE method
-
How to Create a Threat Model for Cloud Infrastructure Security
-
How to get started with Threat Modeling, before you get hacked
-
How to analyze the security of your application with threat modeling
-
7 Easy Steps For Building a Scalable Threat Modeling Process
-
The Enchiridion of Impetus Exemplar: A Threat Modeling Field Guide
Threat model examples for reference.
Tools which helps in threat modelling.
-
OWASP Threat Dragon - An online threat modelling web application including system diagramming and a rule engine to auto-generate threats/mitigations.
-
Microsoft Threat Modeling Tool - Microsoft Threat Modeling Tool 2016 is a tool that helps in finding threats in the design phase of software projects.
-
Owasp-threat-dragon-gitlab - This project is a fork of the original OWASP Threat Dragon web application by Mike Goodwin with Gitlab integration instead of GitHub. You can use it with the Gitlab.com or your own instance of Gitlab.
-
Raindance - Project intended to make Attack Maps part of software development by reducing the time it takes to complete them.
-
Threatspec - Threatspec is an open source project that aims to close the gap between development and security by bringing the threat modelling process further into the development process.
-
PyTM - PyTM is an open source project providing a library for threat modeling with code. Describe your system using OO syntax (object.property = value) and have your threat modeling report automatically generated. 100+ threats currently supported.
-
MAL - MAL is an open source project that supports creation of cyber threat modeling systems and attack simulations.
-
Threagile - Threagile is an open-source toolkit for agile threat modeling
-
TicTaaC - Threat modeling-as-a-Code in a Tick (TicTaaC). Lightweight and easy-to-use Threat modeling solution following DevSecOps principles
-
Threat Modeling Online Game - Online version of the Elevation of Privilege and Cornucopia card games. The easy way to get started with threat modeling.
-
Deciduous - A web app that simplifies building attack decision trees. Hosted at https://www.deciduous.app/
-
drawio-threatmodeling - A collection of custom libraries to turn the free and cross-platform Draw.io diagramming application into the perfect tool for threat modeling.
- Irius risk - Iriusrisk is a threat modeling tool with an adaptive questionnaire driven by an expert system which guides the user through straight forward questions about the technical architecture, the planned features and security context of the application.
- SD elements - Automate Threat Modeling with SD Elements.
- Foreseeti - SecuriCAD Vanguard is an attack simulation and automated threat modeling SaaS service that enables you to automatically simulate attacks on a virtual model of your AWS environment.
- Tutamen Threat Model system - This tool allows threat model metadata to be added to any software diagram, turning that diagram into a threat model. It's simple to use, requires no lock-in license, and is driven by the Common Weakness Enumeration, STRIDE and OWASP Top 10.
- YAKINDU Security Analyst - YAKINDU Security Analyst is a model-based software tool for threat analysis and risk assessment of technical systems. You can identify your protection needs, analyze possible threats and calculate the resulting risks. The underlying assessment model and calculation logic are highly customizable and can be integrated into existing toolchains.
Please refer the guidelines at contributing.md for details.
MIT License & cc license
This work is licensed under a Creative Commons Attribution 4.0 International License.
To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work.