1

Are there any templates or guides anywhere which illustrate how threat models should be documented?

For example, what kind of threats are there for cloud-based/ third party instant messaging services? Would you use STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevatation) as a reference point? What kind of diagrams do you need?

Looking for some overall guidance to help explain how they would go about producing a threat model analysis for a third party / cloud based messaging service.

NoDirection
  • 21
  • 3
  • This question is likely to be closed. Please feel free to come back with a more detailed question describing your actual problem. – 700 Software Nov 14 '16 at 13:04
  • This is not a product recommendation, but a request for a type of drawing or process. – John Deters Nov 15 '16 at 03:51
  • Yes I am looking for someone to help explain how they would go about producing a threat model analysis for a third party / cloud based messaging service. I'm am not looking for any product recommendations. Thanks. – NoDirection Nov 15 '16 at 08:29
  • Clearly this is process not product. – Lester T. Nov 15 '16 at 09:04

1 Answers1

4

Looking at your tag, are you searching for application threat modeling?

One great place to start would be at OWASP, they have the following guides and some templates to illustrate threat models.

For myself, i'm referencing both OWASP and SANS articles. Here a link to OWASP.

OWASP Application Threat Modeling

OWASP Threat Risk Modeling

SANS has their own threat modeling article as well, you can easily search for it in google.

SANS Application Threat Modeling

Lester T.
  • 1,303
  • 1
  • 10
  • 22