Appendix A. A Worked Example
We believe that we have given you a deep understanding of the process of threat modeling from building a system model, eliciting information about the system, and analyzing the abstraction for potential vulnerabilities and threats. Here, we walk you through an example in order to solidify your understanding.
Note
Since this is a static document that lacks the level of interactivity threat modeling usually requires, the following process steps are condensed to “set the stage” followed by “giving away the ending” (no spoilers here!). From this approach, you should glean how you might approach your own threat modeling exercise based on whichever methodology you may choose.
High-Level Process Steps
As a reminder from Chapter 2, here are the high-level threat modeling steps that we will follow in this sample:
-
Identify objects in the system under consideration.
-
Identify flows between those objects.
-
Identify assets of interest.
-
Determine the potential for impact on assets.
-
Identify threats.
-
Determine exploitability.
Following identification of threats would be filing defects, working out mitigations, and coordinating with the system development teams to get mitigations in place; we won’t go into these steps in this sample, as that is organization-specific and we are not trying to change those aspects of your team (especially if those things work reasonably well for you now).
Approaching Your First System Model
The basic process for modeling ...
Get Threat Modeling now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.