Threat Modeling

  1. System Decomposition and Modeling
    1. Defining the Scope
      1. Identifying System Boundaries
        1. Internal vs. External Components
          1. Third-Party Dependencies
          2. Determining the Level of Detail
            1. Granularity of Analysis
              1. Abstraction Levels
            2. Creating System Representations
              1. Data Flow Diagrams
                1. Key DFD Elements
                  1. External Entities
                    1. Processes
                      1. Data Stores
                        1. Data Flows
                        2. Numbering and Labeling Conventions
                          1. DFD Levels
                            1. Context Diagrams
                              1. Level 1 Diagrams
                                1. Lower Level Decomposition
                                2. Common Pitfalls in DFDs
                                3. Process Flow Diagrams
                                  1. Use Cases
                                    1. Sequence of Operations
                                    2. Call Graphs
                                      1. Function Call Relationships
                                        1. Mapping Code to Architecture
                                      2. Identifying Key System Components
                                        1. Trust Boundaries
                                          1. Definition and Importance
                                            1. Identifying Trust Boundary Crossings
                                            2. Entry and Exit Points
                                              1. User Interfaces
                                                1. APIs and Endpoints
                                                  1. Network Interfaces
                                                  2. Privileged Code
                                                    1. Elevated Permissions
                                                      1. Sensitive Operations
                                                      2. Sensitive Data
                                                        1. Personally Identifiable Information
                                                          1. Authentication Credentials
                                                            1. Cryptographic Keys
                                                          2. Identifying Assets
                                                            1. Data Assets
                                                              1. Confidential Data
                                                                1. Integrity-Critical Data
                                                                2. Business Assets
                                                                  1. Revenue Streams
                                                                    1. Brand Reputation
                                                                    2. System Assets
                                                                      1. Infrastructure Components
                                                                        1. Application Services

                                                                    Previous

                                                                    2. The Threat Modeling Process Overview

                                                                    Go to top

                                                                    Next

                                                                    4. Threat Identification and Enumeration