Threats list for specific components

Hello All,

I am new to Threat modelling, looking your support to learn and complete my new assignment. I came across some threat modelling tools like OWASP threat dragon to design some models but need some more practices. Just curious to understand , how we can gather the list of threats for specific components like mongo db or application server.

Hi there, that is great you already found Threat Dragon! I wonder if this blog might help you discover some other free tools - 11 Recommended Threat Modeling Tools

In terms of gathering the threats - this may help you from OWASP: Threat Modeling Process | OWASP Foundation - as it establishes key steps to take and introduces you to the popular STRIDE methodology which can also benefit your knowledge building.

Hope this helps, happy threat modeling!
Claire

1 Like

Another good OWASP resources to understand potential threats is to look through https://cheatsheetseries.owasp.org/. There may not be one for a specific component like Mongo DB, but there is usually one for the generic component i.e. Database Security Cheatsheet.

For very specific threats against a particular component e.g. Mongo DB, you could either search the component website for security guidance or for details about past security issues, or search for CVEs relating to the component.

1 Like