I don’t distinguish too much between tools and methods.
General considerations + Writing things down
- Start and end where all the other work is done → issue tracking
- write where the other TechDoc is written
- draw with draw.io
- experimented with own markup that is especially good at structured data with enforced but flexible schema, many-to-many mappings and reverse links → Threat Items Threat Modeling Template + unpublished work
- own template with lots of guidance, training material links and TODO checkboxes
- Threat properties: ID, short name, description (may be GIVEN WHEN THEN), affected component(s), category, risk before mitigations, considered mitigations, selected mitigations, risk after selected mitigations, status, review
- Mitigation properties: ID, short name, description + acceptance criteria, threat reverse links, issue tracker ticket ID, status, type
- per threat model ID spaces
- Or lean description only
threat model part \ 
threat \ 
mitigation hierarchies - A lot of emojis
- ask AI and add what’s insightful
- ThreatPad for education and adhoc online threat model
- trainings, reviews and support
Methods used
Here are some of my favorites:
- 4 Question Framework as a plugin architecture how all of this works
Working on?
- Two directions: secure new + salvage existing
- Continuous Threat Modeling, especially their “threat model every story” and the idea that there should be a baseline threat model
- Incremental Threat Modeling idea on how to threat model new next to legacy
- Threat Modeling a Giant strategy (1.1.1 in TM of TM) on how to catch up on threat modeling for existing → Basically Divide & Conquer + some extra ideas
- draw.io for diagrams or excalidraw when I can’t see draw.io anymore
- freestyle diagrams that must contain stick figures
- explicit in / out of scope
- 4 Question Framework as a lightweight approach on story level
Go wrong?
- STRIDE for security threats elicitation
- LINDDUN for privacy threats elicitation
- CWE - Common Weakness Enumeration as category inspiration, especially CWE - CWE Top 25 Most Dangerous Software Weaknesses
Do about it?
- NIST Cybersecurity Framework with their protect detect respond recover
- ATE (accept transfer eliminate)
- Qualitative {L,M,H}² likelihood/impact risk assessment with clear consistent rules when to choose what
- risk assessment before/after mitigations - have inacceptable risks turn acceptable by adding appropriate mitigations
Go wrong + do about it?
- Attack Defense Trees - especially good when there’s powerful intermediate nodes, also: a picture is worth 1000 words effect
- GIVEN WHEN THEN - good for techtual representation of Attack Trees and threat descriptions
- Fortunately Unfortunately (Forests) - when we want to consider more kinds of what can go wrong, like feasibility, or do a quick discussion of pros and cons
Good job?
- own Meta Threat Modeling
- A lot of the learnings from
() Threat Modeling of Threat Modeling #meta so that the threat modeling doesn’t suck - Mitigation / issue tracker status integration
- Retro + Lessons learned