List of materials on which to learn Application Security (Security Risk Assessment and Threat Modeling)
Resources that nice to look at when you only start in Threat Modeling
|
Resource |
Description |
|
Basics of TM. Common definitions |
|
|
A Lightweight Approach To Implement Secure Software Development LifeCycle (Secure SDLC) |
Nice summary on activities with which we can start building our S-SDLC. |
|
Collection of study plans, including AppSec and, hopefully after a while, TM. |
|
|
Secure Agile Development According To SAMM - Rob Van Der Veer |
How SAMM and Security in general usually built in Agile |
|
Visualising software architecture with the C4 model - Simon Brown, Agile on the Beach 2019 https://www.visual-paradigm.com/guide/data-flow-diagram/what-is-data-flow-diagram/ |
How to approach architecture diagrams. Useful for diagram part of Threat Modeling. Good diagram will help to build better Threat Model. |
|
(russian) Mikhail Rusakovich - Introduction Security into Application Development |
Description of classical S-SDL |
|
Into to TM for developers (not sure about the "draw bad diagrams" advice) |
|
|
It is hard to do TM without SRA, so understanding on how to rate risks is important. OWASP Risk Rating Methodology, name speaks for itself |
|
|
Interesting approach to Threat Modeling for Digital Healthcare |
|
|
Comparison of BSIMM and SAMM that can be treated as intro to maturity models. |
|
|
Manifesto do not include a guide on how to do TM, but gives several TM principles which is nice to review from time to time and compare with what you are doing during TM. |
|
|
Nice article with examples on TM of particular functionality. When performing TM professionally things start getting more complicated, but that's topic for other day... |
|
|
AWS security assessment: what scanners are missing and how threat modeling may help you? |
Examples on how Threat Modeling may be helpful in Cloud environments. |
|
Threat Modelling Cloud Platform Services by Example: Google Cloud Storage |
Example of the Threat Model for app in Google Cloud. |
Resources that nice to look at when you have experience in Threat Modeling
|
Resource |
Description |
|
Threat Modelling Stories From The Trenches - David Johannson and Andrew Lee-Thorp |
Several Interesting Threat Modelling Stories that gives good examples on the things that might happen |
|
Value Driven Threat Modeling - things to keep in mind so that your Threat Models be useful |
|
|
How we need to think about vulnerabilities |
|
|
Scalable threat modeling via a single reference model and threat library
|
Example on how TM can be done with small team on big set of similar by technological stack projects. |
|
AppSecCali 2019 - Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team |
How Threat Modeling is done in Autodesk. Interesting approach on how to work with developers. |
|
Supporting, influencing, and leading as a security practitioner |
Thoughts on how to communicate with the development team regarding security. |
|
This checklist can be used in different situations, for TM I would recommend asking such questions when starting TMs in a new company. |
Extras