From 6c95a7668ec3f62b554297493dc490b164a224ad Mon Sep 17 00:00:00 2001 From: abstraktor Date: Wed, 22 Jul 2020 12:15:47 +0200 Subject: [PATCH 01/12] Added refs to YAKINDU Security Analyst and 21434 - added Video: [ISO/SAE 21434 by Example](https://youtu.be/3LsNx-ljIK8?t=1180) - added example: [ISO/SAE 21434 Annex G Example in YAKINDU Security Analyst](https://github.com/Yakindu/YSA-examples) - added paid tool: [YAKINDU Security Analyst](https://www.itemis.com/de/yakindu/security-analyst/) - YAKINDU Security Analyst is a model-based software tool for threat analysis and risk assessment of technical systems. With Security Analyst you can identify your protection needs, analyze possible threats and calculate the resulting risks. The underlying assessment model and calculation logic are highly customizable and can be integrated into existing toolchains. disclaimer: I'm a developer of it and speaker in that talk --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 85a7904..a965485 100644 --- a/README.md +++ b/README.md @@ -89,6 +89,9 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [An Agile Approach to Threat Modeling for Securing Open Source Project EdgeX Foundry](https://www.youtube.com/watch?v=iw-FzeKaj48) - [Threat Modeling 101 (SAFECode On Demand Training Course)](https://www.youtube.com/watch?v=QQ7StGiy_-M) + +- [ISO/SAE 21434 by Example](https://youtu.be/3LsNx-ljIK8?t=1180) + ## Tutorials and Blogs *Tutorials and blogs that explain threat modeling* @@ -141,6 +144,8 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [Where is my Threat Model?](https://blog.appsecco.com/where-is-my-threat-model-b6f8b077ac47) +- [Threat Modeling in a Risk Assessment Process](https://www.security-analyst.org/threat-analysis-and-risk-assessment/) + ## Threat Model examples @@ -156,6 +161,8 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [Kubernetes Threat Model](https://github.com/kubernetes/community/tree/master/wg-security-audit/findings) +- [ISO/SAE 21434 Annex G Example in YAKINDU Security Analyst](https://github.com/Yakindu/YSA-examples) + ## Tools @@ -185,6 +192,8 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [Foreseeti](https://www.foreseeti.com/) - SecuriCAD Vanguard is an attack simulation and automated threat modeling SaaS service that enables you to automatically simulate attacks on a virtual model of your AWS environment. +- [YAKINDU Security Analyst](https://www.itemis.com/de/yakindu/security-analyst/) - YAKINDU Security Analyst is a model-based software tool for threat analysis and risk assessment of technical systems. With Security Analyst you can identify your protection needs, analyze possible threats and calculate the resulting risks. The underlying assessment model and calculation logic are highly customizable and can be integrated into existing toolchains. + ## Sponsor ![Practical DevSecOps](images/practical-devsecops-logo.png) From 05e05b18194882d93a78e7dbea17498c132e9b11 Mon Sep 17 00:00:00 2001 From: abstraktor Date: Thu, 23 Jul 2020 08:45:59 +0200 Subject: [PATCH 02/12] Fixed broken link from threatmodeler.com It yielded a 404 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a965485..154daea 100644 --- a/README.md +++ b/README.md @@ -144,7 +144,7 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [Where is my Threat Model?](https://blog.appsecco.com/where-is-my-threat-model-b6f8b077ac47) -- [Threat Modeling in a Risk Assessment Process](https://www.security-analyst.org/threat-analysis-and-risk-assessment/) +- [Threat Modeling in a Risk Assessment Process](https://threatmodeler.com/wp-content/uploads/2018/12/7-Easy-Steps-for-Building-a-Scalable-Threat-Modeling-Process-copy.pdf) ## Threat Model examples From d23843f1b1950ac18cf3006c9e58697b097bda00 Mon Sep 17 00:00:00 2001 From: abstraktor Date: Thu, 23 Jul 2020 08:51:14 +0200 Subject: [PATCH 03/12] Undo confusion MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fat fingers… --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 154daea..03476b1 100644 --- a/README.md +++ b/README.md @@ -140,11 +140,11 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [The Power of a Tailored Threat Model Whitepaper](https://www.lookingglasscyber.com/resources/white-papers/the-power-of-a-tailored-threat-model/) -- [7 Easy Steps For Building a Scalable Threat Modeling Process](https://go.threatmodeler.com/7-steps-building-scalable-threat-modeling-process) +- [7 Easy Steps For Building a Scalable Threat Modeling Process](https://threatmodeler.com/wp-content/uploads/2018/12/7-Easy-Steps-for-Building-a-Scalable-Threat-Modeling-Process-copy.pdf) - [Where is my Threat Model?](https://blog.appsecco.com/where-is-my-threat-model-b6f8b077ac47) -- [Threat Modeling in a Risk Assessment Process](https://threatmodeler.com/wp-content/uploads/2018/12/7-Easy-Steps-for-Building-a-Scalable-Threat-Modeling-Process-copy.pdf) +- [Threat Modeling in a Risk Assessment Process](https://www.security-analyst.org/threat-analysis-and-risk-assessment/) ## Threat Model examples From 048fc5a09b997f81c0b78b706f20084cff56213a Mon Sep 17 00:00:00 2001 From: Izar Tarandach Date: Fri, 23 Oct 2020 09:06:05 -0400 Subject: [PATCH 04/12] Fixed title for book, added number of supported threats to pytm and added a video on TM for DevOps by Alyssa Miller --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c2add79..1261b96 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis](https://www.amazon.in/Risk-Centric-Threat-Modeling-Simulation/dp/0470500964) -- [Threat Modeling](https://www.oreilly.com/library/view/threat-modeling/9781492056546/) +- [Threat Modeling: A Practical Guide for Development Teams](https://www.oreilly.com/library/view/threat-modeling/9781492056546/) ## Courses @@ -91,6 +91,8 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [Threat Modeling 101 (SAFECode On Demand Training Course)](https://www.youtube.com/watch?v=QQ7StGiy_-M) - [Introduction to Threat Modeling by Avi Douglen](https://www.youtube.com/watch?v=yjvSI755auM&t=5069s) + +- [Look, there's a threat model in my DevOps](https://www.youtube.com/watch?v=ASwZ7cnz-Q4&ab_channel=Auth0) ## Tutorials and Blogs *Tutorials and blogs that explain threat modeling* @@ -176,7 +178,7 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [Threatspec](https://threatspec.org/) - Threatspec is an open source project that aims to close the gap between development and security by bringing the threat modelling process further into the development process. -- [PyTM](https://github.com/izar/pytm) - PyTM is an open source project providing a library for threat modeling with code. Describe your system using OO syntax (object.property = value) and have your threat modeling report automatically generated. +- [PyTM](https://github.com/izar/pytm) - PyTM is an open source project providing a library for threat modeling with code. Describe your system using OO syntax (object.property = value) and have your threat modeling report automatically generated. 100+ threats currently supported. ### Paid tools From 29df2f1a3a30b526d21169b60c45192ce0a09ff2 Mon Sep 17 00:00:00 2001 From: owangen Date: Fri, 18 Dec 2020 09:22:27 +0100 Subject: [PATCH 05/12] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1261b96..084e39b 100644 --- a/README.md +++ b/README.md @@ -158,7 +158,7 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [OWASP Threat Model Cookbook](https://github.com/OWASP/threat-model-cookbook) -- [Kubernetes Threat Model](https://github.com/kubernetes/community/tree/master/wg-security-audit/findings) +- [Kubernetes Threat Model](https://github.com/kubernetes/community/tree/master/sig-security/security-audit-2019/findings) From 023b1aaccfd7b14a0f80155043506350000c8710 Mon Sep 17 00:00:00 2001 From: Robert Date: Thu, 4 Feb 2021 12:50:36 -0800 Subject: [PATCH 06/12] Added MAL to the list of free tools Added MAL, I think it's interesting and readers of this page may find it useful. I'm not in any way associated with Foreseeti. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1261b96..c4e0920 100644 --- a/README.md +++ b/README.md @@ -180,6 +180,7 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [PyTM](https://github.com/izar/pytm) - PyTM is an open source project providing a library for threat modeling with code. Describe your system using OO syntax (object.property = value) and have your threat modeling report automatically generated. 100+ threats currently supported. +- [MAL]-(https://mal-lang.org) - MAL is an open source project that supports creation of cyber threat modeling systems for specific domains such as SCADA/OT, automotive and Cloud. MAL allows for threat modelling and attack simulations of specific environments. MAL is one of the underlying technologies of the [Foreseeti](https://www.foreseeti.com) paid tool. ### Paid tools From 3dea6aa09683040d2846da81419547a97adc2780 Mon Sep 17 00:00:00 2001 From: Robert Date: Thu, 4 Feb 2021 12:51:26 -0800 Subject: [PATCH 07/12] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c4e0920..580d502 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,8 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [PyTM](https://github.com/izar/pytm) - PyTM is an open source project providing a library for threat modeling with code. Describe your system using OO syntax (object.property = value) and have your threat modeling report automatically generated. 100+ threats currently supported. -- [MAL]-(https://mal-lang.org) - MAL is an open source project that supports creation of cyber threat modeling systems for specific domains such as SCADA/OT, automotive and Cloud. MAL allows for threat modelling and attack simulations of specific environments. MAL is one of the underlying technologies of the [Foreseeti](https://www.foreseeti.com) paid tool. +- [MAL]-(https://mal-lang.org) - MAL is an open source project that supports creation of cyber threat modeling systems for specific domains such as SCADA/OT, automotive and Cloud. MAL allows for threat modelling and attack simulations of specific environments. MAL is one of the underlying technologies of the [Foreseeti](https://www.foreseeti.com) paid tool. + ### Paid tools From c0e891f0627bbf40d8c17bbe7498329b8c4cc18f Mon Sep 17 00:00:00 2001 From: Robert Date: Thu, 4 Feb 2021 12:51:51 -0800 Subject: [PATCH 08/12] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 580d502..837511f 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,7 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [PyTM](https://github.com/izar/pytm) - PyTM is an open source project providing a library for threat modeling with code. Describe your system using OO syntax (object.property = value) and have your threat modeling report automatically generated. 100+ threats currently supported. -- [MAL]-(https://mal-lang.org) - MAL is an open source project that supports creation of cyber threat modeling systems for specific domains such as SCADA/OT, automotive and Cloud. MAL allows for threat modelling and attack simulations of specific environments. MAL is one of the underlying technologies of the [Foreseeti](https://www.foreseeti.com) paid tool. +- [MAL](https://mal-lang.org) - MAL is an open source project that supports creation of cyber threat modeling systems for specific domains such as SCADA/OT, automotive and Cloud. MAL allows for threat modelling and attack simulations of specific environments. MAL is one of the underlying technologies of the [Foreseeti](https://www.foreseeti.com) paid tool. ### Paid tools From b7dca661084c21bdd35a0bd61a5b7b5d8adc083f Mon Sep 17 00:00:00 2001 From: Robert Date: Thu, 4 Feb 2021 12:52:42 -0800 Subject: [PATCH 09/12] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 837511f..b0c5f17 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,7 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [PyTM](https://github.com/izar/pytm) - PyTM is an open source project providing a library for threat modeling with code. Describe your system using OO syntax (object.property = value) and have your threat modeling report automatically generated. 100+ threats currently supported. -- [MAL](https://mal-lang.org) - MAL is an open source project that supports creation of cyber threat modeling systems for specific domains such as SCADA/OT, automotive and Cloud. MAL allows for threat modelling and attack simulations of specific environments. MAL is one of the underlying technologies of the [Foreseeti](https://www.foreseeti.com) paid tool. +- [MAL](https://mal-lang.org) - MAL is an open source project that supports creation of cyber threat modeling systems and attack simulations. MAL is one of the underlying technologies of the [Foreseeti](https://www.foreseeti.com) paid tool. ### Paid tools From 8f43195062b5f3c09fa0ecee673a194d8abe03bd Mon Sep 17 00:00:00 2001 From: Izar Tarandach Date: Tue, 9 Feb 2021 12:16:16 -0500 Subject: [PATCH 10/12] Added Threat Modeling Manifesto --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 1261b96..e504b76 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ A curated list of threat modeling resources (books, courses - free and paid, vid Contributions welcome. Add links through pull requests or create an issue to start a discussion. ## Contents +- [Fundamentals](#fundamentals) - [Books](#books) - [Courses](#courses) - [Videos](#videos) @@ -16,6 +17,12 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [Tools](#tools) - [Sponsor](#sponsor) + +## Fundamentals + +- [The Threat Modeling Manifesto](https://www.threatmodelingmanifesto.org) + + ## Books *Books on threat modeling.* From 0668329ad3dde574901df292b96a3fed768e47bb Mon Sep 17 00:00:00 2001 From: Tutamantic Date: Mon, 8 Mar 2021 23:23:26 +0000 Subject: [PATCH 11/12] + Rapid Threat Model Prototyping to Free Courses RTMP is a threat modelling technique that decreases the time to make a threat model by focusing on getting the Access Control issues sorted first (Elevation of privilege in STRIDE). It uses STRIDE as its main description language but allows for integration with CWE and OWASP Top 10. https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs RTMP allows a practioner to add metadata describing the threats and mitigations directly to software diagrams, speeding up the whole threat modeling process. This is done through 11 simple steps which can be repeated across all sizes of projects. RTMP also outlines how to properly integrate these steps into Agile workstreams and how to best use the outputs of a threat model (Threats & Mitigations). --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1261b96..8cb50e4 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [Threat Modeling, or Architectural Risk Analysis by Coursera](https://www.coursera.org/lecture/software-security/threat-modeling-or-architectural-risk-analysis-bQAoU) - [Threat Modeling Workshop by Robert Hurlbut](https://github.com/rhurlbut/CodeMash2019/blob/master/Robert-Hurlbut-CodeMash2019-Threat-Modeling-Workshop-20190108.pdf) +- [Rapid Threat Model Prototyping (RTMP)](https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs) - Methodology to create quick threat models (1) add threat metadata describing the threats and mitigations directly to software diagrams using 11 simple and repeatable steps (2) integrate these steps into Agile workstreams (3) how to best use the outputs of a threat model (Threats & Mitigations) ### Paid From 500a0553fc67ce947190fba8e026ca81b9d1f599 Mon Sep 17 00:00:00 2001 From: Tutamantic Date: Mon, 8 Mar 2021 23:42:11 +0000 Subject: [PATCH 12/12] + Tutamen Paid Tool Tutamen is available for use. --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 8cb50e4..c9c0cd2 100644 --- a/README.md +++ b/README.md @@ -189,6 +189,8 @@ Contributions welcome. Add links through pull requests or create an issue to sta - [SD elements](https://www.securitycompass.com/sdelements/threat-modeling/) - Automate Threat Modeling with SD Elements. - [Foreseeti](https://www.foreseeti.com/) - SecuriCAD Vanguard is an attack simulation and automated threat modeling SaaS service that enables you to automatically simulate attacks on a virtual model of your AWS environment. +- [Tutamen Threat Model system](https://www.tutamantic.com) - Only tool in the market that allows threat model metadata to be added to any software diagram, turning that diagram into a threat model. Full SaaS product that is simple to use, requires no lock-in license, and is driven by the Common Weakness Enumeration, STRIDE and OWASP Top 10. + ## Sponsor