-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update: Threat Modeling #1221
Comments
I feel that threat modeling has changed enough in the last couple years since the last major update to this cheat sheet that it's not unreasonable to have a new major rewrite. In particular I'm a fan of using STRIDE since it's fairly simple and widely used. |
Yes, I would love to take this on. I agree starting from scratch is probably the best approach. Thanks. |
Apologies for the delay on this. I have an initial draft together. https://github.com/EbonyAdder/CheatSheetSeries/blob/threat-model-update/cheatsheets/Threat_Modeling_Cheat_Sheet.md I know it will need some tweaking, but did you want me to open a PR now and discuss any needed changes there or start the discussion here and then open a PR? Thanks. |
Awesome. My preference is to open a PR, maybe set as draft, and have the discussions on it. This allows for line by line comments and suggestions and makes it easier to track the discussion history. |
Thank you so much for this work! :) |
Thanks! A draft PR has been opened: #1227 |
What is missing or needs to be updated?
Confusing structure, potentially superfluous content, lack of detail on other topics.
How should this be resolved?
Even as one who is familiar with Threat Modeling, I found the structure of the current Threat Modelling CS confusing. I would recommend aligning the major sections/headers with either the WSTG (2.5) or https://owasp.org/www-community/Threat_Modeling_Process. I also personally thought that the CS contained some details (the detail of "4+1" view model , the section on data at rest vs. in transit, etc). that were perhaps unnecessary if focus and conciseness are goals for the CS series Finally, there were several sections that I think could either have benefited from more detail, or, in the interest of brevity, removed entirely: Define Data Flow over your DFD, Define Trust Boundaries, Define Application Entry Points, Map Threat agents to application Entry points, Draw attack vectors and attacks tree, etc.
Sorry, I know that sounds like a lot of complaints. I certainly don't want to belittle the work of previous contributors, but those were concerns that stood out as I was reading through it. Will be happy to assist if this is approved.
Thanks much.
The text was updated successfully, but these errors were encountered: