Hello All,
I am new to Threat modelling, looking your support to learn and complete my new assignment. I came across some threat modelling tools like OWASP threat dragon to design some models but need some more practices. Just curious to understand , how we can gather the list of threats for specific components like mongo db or application server.
Hi there, that is great you already found Threat Dragon! I wonder if this blog might help you discover some other free tools - 11 Recommended Threat Modeling Tools
In terms of gathering the threats - this may help you from OWASP: Threat Modeling Process | OWASP Foundation - as it establishes key steps to take and introduces you to the popular STRIDE methodology which can also benefit your knowledge building.
Hope this helps, happy threat modeling!
Claire
Another good OWASP resources to understand potential threats is to look through https://cheatsheetseries.owasp.org/. There may not be one for a specific component like Mongo DB, but there is usually one for the generic component i.e. Database Security Cheatsheet.
For very specific threats against a particular component e.g. Mongo DB, you could either search the component website for security guidance or for details about past security issues, or search for CVEs relating to the component.