They say a picture is worth a thousands words and so including some kind of diagram in your threat modelling process likely aids in understanding the system being threat modelled. But some diagrams can end up looking like “spaghetti and meatballs”, depending on the complexity of the system.
I thought would be interesting to take the pulse of the community on this topic, so we can better understand what approaches are being used.
Note, if your threat modelling approach uses lots of diagrams, perhaps just answer for the scenario where you were forced to choose just one.
- DFD (must be created specifically for the threat model)
- DFD (any pre-existing, create only if it doesn’t exist)
- Sequence Diagram / Swimlane
- UML / Class
- C4
- Any pre-existing diagram the dev team has
- I don’t use diagrams
0
voters