Threat Modeling Bank
Threat model templates enable architects, developers and security analysts take these commonly used community or vendor created threat models and save them as templates. They can then be reused, in some cases with minor adaptations, as a foundation for creating new threat models. Leveraging pre-defined templates introduces efficiencies into the threat modeling process and reduces the time and effort required to build threat models. The templates can be used to enforce pre-defined architecture and specifications for hardened components.
These templates and examples may be used out of the box and are user friendly.
Outcomes
o Design implications of a threat model
o Coding constraints based on a threat model
Features
o Industry standard templates from leading vendors or service providers
o Generally accepted definitions from standard setting bodies
o The privilege to make mistakes and fail safely
Core Technical Concepts/Inspiration
One of the biggest hindrances to widespread adoption of threat modeling is the inability of existing methodologies and tools to scale with rapid code and system changes as part of modern Agile and DevOps culture shifts at enterprises. While applications and systems are inherently built using vetted components based on performance, security and most importantly for business generating functions, threat models for these same applications and systems need to be built from scratch leading to inefficient use of resources.
Most of the applications in an organization have overlapping features and functionality. To be able to build threat model snippets for these common features and save as templates is extremely helpful in scaling threat modeling initiatives organization-wide. New threat models using these features can draw from a library of templates which saves substantial time, money and resources.
Getting Started/Requirements/Prerequisites/Dependencies
Pull the repository to your threat modeling environment. Open the templates / models in your local Microsoft Threat Modeling tool. Begin threat modeling with the provided materials and content. Additional details how to use Microsoft's Threat Modeling tool may be found @ https://docs.microsoft.com/en-us/azure/security/azure-security-threat-modeling-tool-getting-started
Contributing
- Microsoft
- 3rd Parties
- John Menerick
TODO
- Create additional templates for AWS, GCP, and similar providers
- Create additional templates for the different compliance verticals - HealthCare, PCI, SOC, BSIMM, GDPR, and NIST
- Do you have an idea? Please submit an issue, pull request, or contact me
Contact
License
Each template / models contains their own license. Use as appropriate.