A curated list of useful threat modeling and risk management resources. Please feel free to contribute.
- General
- Data Flow Diagrams
- Threat Enumeration
- Prioritization Methodologies
- Conference Talks
- Books
- Tools
- OWASP page on Application Threat Modeling
- OpenSAMM Threat Assessment
- Microsoft threat modeling posts
Good tools for generating DFDs:
- STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege)
- Attack Trees
- Rapid Threat Modeling - Akshay Aggarwal - Blackhat USA (2005)
- Elevation of Privilege: The easy way to threat model Part 1 and Part 2 - Adam Shostack - Blackhat (2010)
- Threat Modeling Best Practices - Robert Zigweid - AppSecUSA (2010)
- Threat Modeling: Lessons from Star Wars - Adam Shostack - Brucon (2014)
- Incremental Threat Modeling - Irene Michlin - AppSecEU (2017)
- Threat Modeling with PASTA - Tony UcedaVelez - AppSecEU (2017)
- Value Driven Threat Modeling - Avi Douglen - AppSecUSA (2018)
- Threat Modeling Toolkit - Jonathan Marcil - AppSecCali (2018)
- Lessons From The Threat Modeling Trenches - Brook Schoenfield - AppSecCali (2018)
- Threat Model as Code - Abhay Bhargav - AppSecUSA (2018)
- Threat Modeling at speed and scale - Stuart Winter-Tear - DevSecCon London (2018)
- Threat Modeling: uncover vulnerabilities without looking at code - Chris Romeo - NDC (2018)
- Threat Modeling in 2018 - Adam Shostack - Blackhat USA (2018)
- Threat Modeling in 2019 - Adam Shostack - RSA Conference (2019)
- Offensive Threat Models Against the Supply Chain - Tony UcedaVelez - AppSecCali (2019)
- Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team - Izar Tarandach - AppSecCali (2019)
- Game On! Adding Privacy to Threat Modeling - Adam Shostack, Mark Vinkovits - AppSecCali (2019)
- Adaptive Threat Modeling - Aaron Bedra - GOTO Chicago (2017)