original post by @Atiyeh_NK
Hello everyone😃. While reviewing the DFD in threat modeling, I ran into a problem. In some sources, “process” is defined as an exe file or a service (or web service). While in some other sources it can be the name of a function. Now, for example, is “process” a login service, or a login page, or a login function?
(I’ve come to the conclusion that it can be all of these, it just depends on the scope and context we’re working on. Is that true?
)
I think it can be all those 3 things (i.e a login service, a login page, a login function), although typically with DFDs for threat modelling you would start at the service level i.e. create a DFD showing your services and threat model that. You can go into more detail i.e. a multi-level DFD, and continue to threat model your system at finer levels of granularity, but you’d likely need a compelling reason to do so.
I think the important point is to be consistent within a single DFD, and capture processes etc. at the same “level”. If you haven’t come across the C4 Model then that will be helpful as it explains in greater detail what (it thinks) are sensible different levels to use. In the context of a C4 model you probably want to draw a DFD at the “container” level, which captures services. I will often talk about drawing a DFD that captures “deployable” components (including services you provision e.g. S3 buckets).