mirror of
https://github.com/hysnsec/awesome-threat-modelling.git
synced 2024-10-01 08:25:38 -04:00
Add Threat model examples (#2)
* Add Threat model examples, thanks Patrick * Fix awesome-lint issues * Fix awesome-lint issues
This commit is contained in:
parent
959923ee45
commit
553c926229
9
Dockerfile
Normal file
9
Dockerfile
Normal file
@ -0,0 +1,9 @@
|
||||
FROM node:latest
|
||||
|
||||
RUN npm install --global awesome-lint
|
||||
|
||||
WORKDIR /src
|
||||
|
||||
RUN mkdir -p /src
|
||||
|
||||
ENTRYPOINT ["awesome-lint"]
|
167
README.md
167
README.md
@ -1,179 +1,188 @@
|
||||
|
||||
Welcome to Awesome Threat Modeling [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)
|
||||
===================
|
||||
# Awesome Threat Modeling [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)
|
||||
|
||||
A curated list of threat modeling resources ( Books, courses - free and paid, videos, tools, tutorials and workshop to practice on ) for learning Threat modeling and initial phases of security review.
|
||||
![Awesome Threat modeling](images/awesome-threat-modelling.png)
|
||||
|
||||
### Contents
|
||||
A curated list of threat modeling resources (books, courses - free and paid, videos, tools, tutorials and workshop to practice on) for learning Threat modeling and initial phases of security review.
|
||||
|
||||
Contributions welcome. Add links through pull requests or create an issue to start a discussion.
|
||||
|
||||
## Contents
|
||||
- [Books](#books)
|
||||
- [Courses](#courses)
|
||||
+ [Free](#free)
|
||||
+ [Paid](#paid)
|
||||
- [Videos](#videos)
|
||||
- [Tutorials and Blogs](#tutorials-and-blogs)
|
||||
- [Threat Model examples](#threat-model-examples)
|
||||
- [Tools](#tools)
|
||||
+ [Free tools](#free-tools)
|
||||
+ [Paid tools](#paid-tools)
|
||||
- [Contributing](#contributing)
|
||||
|
||||
|
||||
# Awesome Threat Modeling Resources
|
||||
- [Sponsor](#sponsor)
|
||||
|
||||
## Books
|
||||
|
||||
*Books on threat modeling*
|
||||
*Books on threat modeling.*
|
||||
|
||||
- [Threat Modeling: Designing for Security ](https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998) by Adam Shostack
|
||||
|
||||
- [Threat Modeling](https://www.amazon.in/Threat-Modeling-Microsoft-Professional-Swiderski/dp/0735619913) by Frank Swiderski , Window Snyder
|
||||
- [Threat Modeling: Designing for Security](https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998)
|
||||
|
||||
- [Threat Modeling](https://www.amazon.in/Threat-Modeling-Microsoft-Professional-Swiderski/dp/0735619913)
|
||||
|
||||
- [Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis](https://www.amazon.in/Risk-Centric-Threat-Modeling-Simulation/dp/0470500964)
|
||||
by Tony UcedaVelez (Author), Marco M. Morana (Author)
|
||||
|
||||
|
||||
- [Threat Modeling](https://www.oreilly.com/library/view/threat-modeling/9781492056546/) by Matthew J. Coles, Izar Tarandach
|
||||
- [Threat Modeling](https://www.oreilly.com/library/view/threat-modeling/9781492056546/)
|
||||
|
||||
|
||||
## Courses
|
||||
|
||||
*Courses/Training videos on threat modeling*
|
||||
*Courses/Training videos on threat modeling.*
|
||||
|
||||
|
||||
### Free
|
||||
|
||||
[Threat Modeling, or Architectural Risk Analysis](https://www.coursera.org/lecture/software-security/threat-modeling-or-architectural-risk-analysis-bQAoU) by Coursera
|
||||
- [Threat Modeling, or Architectural Risk Analysis by Coursera](https://www.coursera.org/lecture/software-security/threat-modeling-or-architectural-risk-analysis-bQAoU)
|
||||
|
||||
[Threat Modeling Workshop](https://github.com/rhurlbut/CodeMash2019/blob/master/Robert-Hurlbut-CodeMash2019-Threat-Modeling-Workshop-20190108.pdf) by Robert Hurlbut
|
||||
- [Threat Modeling Workshop by Robert Hurlbut](https://github.com/rhurlbut/CodeMash2019/blob/master/Robert-Hurlbut-CodeMash2019-Threat-Modeling-Workshop-20190108.pdf)
|
||||
|
||||
|
||||
### Paid
|
||||
|
||||
[DevSecOps Expert](https://www.practical-devsecops.com/certified-devsecops-expert/) by [Practical DevSecOps](https://www.practical-devsecops.com)
|
||||
- [DevSecOps Expert by Practical DevSecOps](https://www.practical-devsecops.com/certified-devsecops-expert/)
|
||||
|
||||
[Threat Modeling Fundamentals](https://www.pluralsight.com/courses/threat-modeling-fundamentals) by Pluralsight
|
||||
- [Threat Modeling Fundamentals](https://www.pluralsight.com/courses/threat-modeling-fundamentals)
|
||||
|
||||
[CyberSec First Responder: Threat Detection & Response CFR210](https://www.udemy.com/course/cybersec-first-responder-threat-detection-response-cfr210/) by Stone River eLearning
|
||||
- [CyberSec First Responder: Threat Detection & Response CFR210](https://www.udemy.com/course/cybersec-first-responder-threat-detection-response-cfr210/)
|
||||
|
||||
[Learning Threat Modeling for Security Professionals](https://www.lynda.com/Web-Development-tutorials/Learning-Threat-Modeling-Security-Professionals/769294-2.html) by Adam Shostack
|
||||
- [Learning Threat Modeling for Security Professionals](https://www.lynda.com/Web-Development-tutorials/Learning-Threat-Modeling-Security-Professionals/769294-2.html)
|
||||
|
||||
[Threat Modeling: Spoofing In Depth](https://www.lynda.com/IT-tutorials/Threat-Modeling-Spoofing-Depth/769300-2.html?srchtrk=index%3a7%0alinktypeid%3a2%0aq%3athreat+modelling%0apage%3a1%0as%3arelevance%0asa%3atrue%0aproducttypeid%3a2) by Adam Shostack
|
||||
- [Threat Modeling: Spoofing In Depth](https://www.lynda.com/IT-tutorials/Threat-Modeling-Spoofing-Depth/769300-2.html?srchtrk=index%3a7%0alinktypeid%3a2%0aq%3athreat+modelling%0apage%3a1%0as%3arelevance%0asa%3atrue%0aproducttypeid%3a2)
|
||||
|
||||
[Threat Modeling: Tampering in Depth](https://www.lynda.com/IT-tutorials/Threat-Modeling-Tampering-Depth/2810167-2.html?srchtrk=index%3a1%0alinktypeid%3a2%0aq%3athreat+modelling%0apage%3a1%0as%3arelevance%0asa%3atrue%0aproducttypeid%3a2) by Adam Shostack
|
||||
- [Threat Modeling: Tampering in Depth](https://www.lynda.com/IT-tutorials/Threat-Modeling-Tampering-Depth/2810167-2.html?srchtrk=index%3a1%0alinktypeid%3a2%0aq%3athreat+modelling%0apage%3a1%0as%3arelevance%0asa%3atrue%0aproducttypeid%3a2)
|
||||
|
||||
[Threat Modeling or Whiteboard Hacking training](https://www.toreon.com/threatmodeling/) by Toreon
|
||||
- [Threat Modeling or Whiteboard Hacking training](https://www.toreon.com/threatmodeling/)
|
||||
|
||||
|
||||
## Videos
|
||||
|
||||
*Videos talking about Threat modeling*
|
||||
*Videos talking about Threat modeling.*
|
||||
|
||||
[Introduction, Threat Models](https://www.youtube.com/watch?v=GqmQg-cszw4) by
|
||||
MIT OpenCourseWare
|
||||
- [Introduction, Threat Models](https://www.youtube.com/watch?v=GqmQg-cszw4)
|
||||
|
||||
[Creating a Threat Model using TMT 2016](https://www.youtube.com/watch?v=-VokDIHS5XM) by Alan B. Watkins
|
||||
- [Creating a Threat Model using TMT 2016](https://www.youtube.com/watch?v=-VokDIHS5XM)
|
||||
|
||||
[Using Threat Modeling](https://www.youtube.com/watch?v=n8ozucTo810) by Synopsys
|
||||
- [Using Threat Modeling](https://www.youtube.com/watch?v=n8ozucTo810)
|
||||
|
||||
[Threat Modeling in 2019](https://www.youtube.com/watch?v=ZoxHIpzaZ6U) by Adam Shostack
|
||||
- [Threat Modeling in 2019](https://www.youtube.com/watch?v=ZoxHIpzaZ6U)
|
||||
|
||||
[Threat Modeling Toolkit](https://www.youtube.com/watch?v=KGy_KCRUGd4) by Jonathan Marcil
|
||||
- [Threat Modeling Toolkit](https://www.youtube.com/watch?v=KGy_KCRUGd4)
|
||||
|
||||
[Adaptive Threat Modelling](https://www.youtube.com/watch?v=YTtO_TGV2fU) by Aaron Bedra
|
||||
- [Adaptive Threat Modelling](https://www.youtube.com/watch?v=YTtO_TGV2fU)
|
||||
|
||||
[Threat modeling](https://www.youtube.com/watch?v=v8aYNcE1QlI) by Erlend Oftedal
|
||||
- [Threat modeling](https://www.youtube.com/watch?v=v8aYNcE1QlI)
|
||||
|
||||
[Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team](https://www.youtube.com/watch?v=VbW-X0j35gw) by Izar Tarandach
|
||||
- [Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team](https://www.youtube.com/watch?v=VbW-X0j35gw)
|
||||
|
||||
[Threat Modeling for Secure Software Design ](https://www.youtube.com/watch?v=OH2LqzDk2Zg) by Robert Hurlbut
|
||||
- [Threat Modeling for Secure Software Design](https://www.youtube.com/watch?v=OH2LqzDk2Zg)
|
||||
|
||||
[Fixing Threat Models with OWASP Efforts ](https://www.youtube.com/watch?v=-dQcg0FDLpk) by Tony UcedaVelez
|
||||
- [Fixing Threat Models with OWASP Efforts](https://www.youtube.com/watch?v=-dQcg0FDLpk)
|
||||
|
||||
[Designing for Security through Threat Modelling](https://www.youtube.com/watch?v=6fhEdJ9YcU0)
|
||||
- [Designing for Security through Threat Modelling](https://www.youtube.com/watch?v=6fhEdJ9YcU0)
|
||||
|
||||
[Unlocking Threat Modeling](https://www.youtube.com/watch?v=J_ksjjUz73s) by Brook Schoenfield
|
||||
- [Unlocking Threat Modeling](https://www.youtube.com/watch?v=J_ksjjUz73s)
|
||||
|
||||
[An Agile Approach to Threat Modeling for Securing Open Source Project EdgeX Foundry](https://www.youtube.com/watch?v=iw-FzeKaj48) by Tingyu Zeng
|
||||
- [An Agile Approach to Threat Modeling for Securing Open Source Project EdgeX Foundry](https://www.youtube.com/watch?v=iw-FzeKaj48)
|
||||
|
||||
## Tutorials and Blogs
|
||||
|
||||
*Tutorials and blogs which explain threat modeling*
|
||||
*Tutorials and blogs that explain threat modeling*
|
||||
|
||||
[What Is Security Threat Modeling?](https://www.dummies.com/programming/certification/security-threat-modeling/) by Lawrence C. Miller, Peter H. Gregory
|
||||
- [Threat Modeling: What, Why, and How?](https://misti.com/infosec-insider/threat-modeling-what-why-and-how)
|
||||
|
||||
[Threat-modeling CheatSheet By Owasp](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html) by OWASP
|
||||
- [Threat Modeling: 12 Available Methods](https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html)
|
||||
|
||||
[Threat Modeling in the Enterprise, Part 1: Understanding the Basics](https://securityintelligence.com/threat-modeling-in-the-enterprise-part-1-understanding-the-basics/) by Stiliyana Simeonova
|
||||
- [What Is Security Threat Modeling?](https://www.dummies.com/programming/certification/security-threat-modeling/)
|
||||
|
||||
[Threat Modeling: What, Why, and How?](https://misti.com/infosec-insider/threat-modeling-what-why-and-how) By Adam Shostack
|
||||
- [Threat-modeling CheatSheet By Owasp](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html)
|
||||
|
||||
[Threat Modeling for Dummies](https://www.slideshare.net/AdamEnglander/threat-modeling-for-dummies-cascadia-php-2018) by Adam Englander
|
||||
- [Threat Modeling in the Enterprise](https://securityintelligence.com/threat-modeling-in-the-enterprise-part-1-understanding-the-basics/)
|
||||
|
||||
[DevSecOps, Threat Modeling and You: Get started using the STRIDE method](https://medium.com/@brunoamaroalmeida/devsecops-threat-modelling-and-you-get-started-using-the-stride-method-85d143ab86f4) by Bruno Amaro Almeida
|
||||
- [Approachable threat modeling](https://increment.com/security/approachable-threat-modeling/)
|
||||
|
||||
[Threat Modeling: The Why, How, When and Which Tools](https://devops.com/threat-modeling-the-why-how-when-and-which-tools/) by Debarghya Pandit
|
||||
- [Threat Modeling for Dummies](https://www.slideshare.net/AdamEnglander/threat-modeling-for-dummies-cascadia-php-2018)
|
||||
|
||||
[Threat-modeling datasheet](https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/threat-modeling-datasheet.pdf) by Synopsys
|
||||
- [DevSecOps, Threat Modeling and You: Get started using the STRIDE method](https://medium.com/@brunoamaroalmeida/devsecops-threat-modelling-and-you-get-started-using-the-stride-method-85d143ab86f4)
|
||||
|
||||
[Threat Modeling blog](https://blog.securityinnovation.com/topic/threat-modeling) by Security Innovation
|
||||
- [Threat Modeling: The Why, How, When and Which Tools](https://devops.com/threat-modeling-the-why-how-when-and-which-tools/)
|
||||
|
||||
[Threat Modeling: 6 Mistakes You’re Probably Making](https://www.varonis.com/blog/threat-modeling/) by Jeff Petters
|
||||
- [Threat-modeling datasheet](https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/threat-modeling-datasheet.pdf)
|
||||
|
||||
[How to Create a Threat Model for Cloud Infrastructure Security](https://www.threatstack.com/blog/how-to-create-a-threat-model-for-cloud-infrastructure-security) by Pat Cable
|
||||
- [Threat Modeling blog](https://blog.securityinnovation.com/topic/threat-modeling)
|
||||
|
||||
[Why You Should Care About Threat Modelling](https://community.arm.com/developer/ip-products/security/b/security-ip-blog/posts/why-you-should-care-about-threat-modelling) by Suresh Marisetty
|
||||
- [Threat Modeling: 6 Mistakes You are Probably Making](https://www.varonis.com/blog/threat-modeling/)
|
||||
|
||||
[Benefits of Threat Modeling](https://nvisium.com/blog/2019/05/30/benefits-of-threat-modeling.html) by Sangita Prajapati
|
||||
- [How to Create a Threat Model for Cloud Infrastructure Security](https://www.threatstack.com/blog/how-to-create-a-threat-model-for-cloud-infrastructure-security)
|
||||
|
||||
[Threat Modeling: a Summary of Available Methods Whitepaper](https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_524597.pdf) by Nataliya Shevchenko, Timothy A. Chick, Paige O’Riordan, Thomas Patrick Scanlon, PhD, & Carol Woody, PhD
|
||||
- [Why You Should Care About Threat Modelling](https://community.arm.com/developer/ip-products/security/b/security-ip-blog/posts/why-you-should-care-about-threat-modelling)
|
||||
|
||||
[Threat Modelling Toolkit](https://www.owasp.org/images/0/00/Threat_Modelling_-_STRIDE_Cards_-_TW_Branded.pdf) by ThoughtWorks
|
||||
- [Benefits of Threat Modeling](https://nvisium.com/blog/2019/05/30/benefits-of-threat-modeling.html)
|
||||
|
||||
[How to get started with Threat Modeling, before you get hacked](https://hackernoon.com/how-to-get-started-with-threat-modeling-before-you-get-hacked-1bf0ea3310df) by Hackernoon
|
||||
- [Threat Modeling: a Summary of Available Methods Whitepaper](https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_524597.pdf)
|
||||
|
||||
[Thread Modeling tutoria](https://www.geeksforgeeks.org/threat-modelling/) by Geeks For Geeks
|
||||
- [Threat Modelling Toolkit](https://www.owasp.org/images/0/00/Threat_Modelling_-_STRIDE_Cards_-_TW_Branded.pdf)
|
||||
|
||||
[How to analyze the security of your application with threat modeling](https://www.freecodecamp.org/news/threat-modeling-goran-aviani/) by Goran Aviani
|
||||
- [How to get started with Threat Modeling, before you get hacked](https://hackernoon.com/how-to-get-started-with-threat-modeling-before-you-get-hacked-1bf0ea3310df)
|
||||
|
||||
[Tactical Threat Modeling](https://safecode.org/wp-content/uploads/2017/05/SAFECode_TM_Whitepaper.pdf) by SafeCode
|
||||
- [Thread Modeling tutorial](https://www.geeksforgeeks.org/threat-modelling/)
|
||||
|
||||
[The Power of a Tailored Threat Model Whitepaper](https://www.lookingglasscyber.com/resources/white-papers/the-power-of-a-tailored-threat-model/) by Looking Glass
|
||||
- [How to analyze the security of your application with threat modeling](https://www.freecodecamp.org/news/threat-modeling-goran-aviani/)
|
||||
|
||||
[7 Easy Steps For Building a Scalable Threat Modeling Process](https://go.threatmodeler.com/7-steps-building-scalable-threat-modeling-process) by Threatmodeler
|
||||
- [Tactical Threat Modeling](https://safecode.org/wp-content/uploads/2017/05/SAFECode_TM_Whitepaper.pdf)
|
||||
|
||||
[Where is my Threat Model?](https://blog.appsecco.com/where-is-my-threat-model-b6f8b077ac47) by Abhisek Datta
|
||||
- [The Power of a Tailored Threat Model Whitepaper](https://www.lookingglasscyber.com/resources/white-papers/the-power-of-a-tailored-threat-model/)
|
||||
|
||||
- [7 Easy Steps For Building a Scalable Threat Modeling Process](https://go.threatmodeler.com/7-steps-building-scalable-threat-modeling-process)
|
||||
|
||||
- [Where is my Threat Model?](https://blog.appsecco.com/where-is-my-threat-model-b6f8b077ac47)
|
||||
|
||||
|
||||
## Threat Model examples
|
||||
|
||||
*Threat model examples for reference.*
|
||||
|
||||
- [SSL Threat model by Qualys](https://www.ssllabs.com/downloads/SSL_Threat_Model.png)
|
||||
|
||||
- [DNS Security: Threat Modeling DNSSEC, DoT, and DoH by Jan Schuamann](https://www.netmeister.org/blog/doh-dot-dnssec.html)
|
||||
|
||||
- [Email Encryption Gateway Threat model by NCC Group](https://www.slideshare.net/NCC_Group/real-world-application-threat-modelling-by-example)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
*Tools which helps in threat modelling*
|
||||
*Tools which helps in threat modelling.*
|
||||
|
||||
### Free tools
|
||||
|
||||
[OWASP Threat Dragon](https://www.owasp.org/index.php/OWASP_Threat_Dragon) - An online threat modelling web application including system diagramming and a rule engine to auto-generate threats/mitigations.
|
||||
- [OWASP Threat Dragon](https://www.owasp.org/index.php/OWASP_Threat_Dragon) - An online threat modelling web application including system diagramming and a rule engine to auto-generate threats/mitigations.
|
||||
|
||||
[Microsoft Threat Modeling Tool](https://docs.microsoft.com/en-gb/azure/security/develop/threat-modeling-tool) - Microsoft Threat Modeling Tool 2016 is a tool that helps in finding threats in the design phase of software projects.
|
||||
- [Microsoft Threat Modeling Tool](https://docs.microsoft.com/en-gb/azure/security/develop/threat-modeling-tool) - Microsoft Threat Modeling Tool 2016 is a tool that helps in finding threats in the design phase of software projects.
|
||||
|
||||
[Owasp-threat-dragon-gitlab](https://github.com/appsecco/owasp-threat-dragon-gitlab) - This project is a fork of the original OWASP Threat Dragon web application by Mike Goodwin with Gitlab integration instead of Github. You can use it with the Gitlab.com or your own instance of Gitlab.
|
||||
- [Owasp-threat-dragon-gitlab](https://github.com/appsecco/owasp-threat-dragon-gitlab) - This project is a fork of the original OWASP Threat Dragon web application by Mike Goodwin with Gitlab integration instead of GitHub. You can use it with the Gitlab.com or your own instance of Gitlab.
|
||||
|
||||
[raindance](https://github.com/devsecops/raindance) - Project intended to make Attack Maps part of software development by reducing the time it takes to complete them
|
||||
- [Raindance](https://github.com/devsecops/raindance) - Project intended to make Attack Maps part of software development by reducing the time it takes to complete them.
|
||||
|
||||
[threatspec](https://threatspec.org/) - Threatspec is an open source project that aims to close the gap between development and security by bringing the threat modelling process further into the development process.
|
||||
- [Threatspec](https://threatspec.org/) - Threatspec is an open source project that aims to close the gap between development and security by bringing the threat modelling process further into the development process.
|
||||
|
||||
|
||||
### Paid tools
|
||||
|
||||
[Irius risk](https://iriusrisk.com/threat-modeling-tool/) - Iriusrisk is a threat modeling tool with an adaptive questionnaire driven by an expert system which guides the user through straight forward questions about the technical architecture, the planned features and security context of the application.
|
||||
- [Irius risk](https://iriusrisk.com/threat-modeling-tool/) - Iriusrisk is a threat modeling tool with an adaptive questionnaire driven by an expert system which guides the user through straight forward questions about the technical architecture, the planned features and security context of the application.
|
||||
|
||||
[SD elements](https://www.securitycompass.com/sdelements/threat-modeling/) - Automate Threat Modeling with SD Elements
|
||||
- [SD elements](https://www.securitycompass.com/sdelements/threat-modeling/) - Automate Threat Modeling with SD Elements.
|
||||
|
||||
[Foreseeti](https://www.foreseeti.com/) - SecuriCAD Vanguard is an attack simulation and automated threat modeling SaaS service that enables you to automatically simulate attacks on a virtual model of your AWS environment.
|
||||
- [Foreseeti](https://www.foreseeti.com/) - SecuriCAD Vanguard is an attack simulation and automated threat modeling SaaS service that enables you to automatically simulate attacks on a virtual model of your AWS environment.
|
||||
|
||||
## Sponsor
|
||||
|
||||
![Practical DevSecOps](images/practical-devsecops-logo.png)
|
||||
|
||||
## Contributing
|
||||
|
||||
Please refer the guidelines at [contributing.md for details](Contributing.md).
|
||||
Please refer the guidelines at [contributing.md for details](contributing.md).
|
||||
|
||||
|
||||
## Sponsored by
|
||||
![Practical DevSecOps](images/practical-devsecops-logo.png)
|
||||
|
BIN
images/awesome-threat-modelling.png
Normal file
BIN
images/awesome-threat-modelling.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 72 KiB |
Loading…
Reference in New Issue
Block a user