Useful Links
Computer Science
Cybersecurity
Threat Modeling
1. Introduction to Threat Modeling
2. The Threat Modeling Process Overview
3. System Decomposition and Modeling
4. Threat Identification and Enumeration
5. Threat Analysis and Risk Assessment
6. Validation and Verification
7. Integrating Threat Modeling into the Development Lifecycle
8. Domain-Specific Threat Modeling
9. Tooling and Automation
10. Scaling a Threat Modeling Program
Threat Analysis and Risk Assessment
Risk Assessment and Prioritization
Qualitative vs. Quantitative Analysis
Pros and Cons
Example Scoring Systems
The DREAD Model
Damage Potential
Reproducibility
Exploitability
Affected Users
Discoverability
Calculating DREAD Scores
CVSS
Base Metrics
Temporal Metrics
Environmental Metrics
Scoring Vulnerabilities
Custom Risk Rating Systems
Organization-Specific Criteria
Calibration and Consistency
Developing Mitigations and Countermeasures
The Four Mitigation Strategies
Reduce
Technical Controls
Process Controls
Eliminate
Architectural Changes
Feature Removal
Transfer
Third-Party Risk Management
Contractual Protections
Accept
Risk Acceptance Criteria
Documentation of Accepted Risks
Types of Security Controls
Preventive Controls
Access Controls
Input Validation
Detective Controls
Logging and Monitoring
Intrusion Detection
Corrective Controls
Incident Response
Patch Management
Deterrent Controls
Security Awareness Training
Warning Banners
Mapping Controls to Threats
Security Requirements
Functional Security Requirements
Non-Functional Security Requirements
Secure Coding Practices
Input Sanitization
Output Encoding
Architectural Changes
Network Segmentation
Principle of Least Privilege
Previous
4. Threat Identification and Enumeration
Go to top
Next
6. Validation and Verification