<h1 id="threat-modeling">Threat Modeling<a aria-hidden="true" class="anchor-heading icon-link" href="#threat-modeling"></a></h1>
A threat model is a living artifact that helps us reason about the security of a system.
Threat modeling helps define system appropriate security requirements and helps
find security issues that might not be found otherwise. For example, it is impossible
for automated tools to realize that some flow needs authorization.
A threat model should contain the following things:
<ul>
<li>Some form of system diagram -- Anything will do as long as long as it helps us understand the system.</li>
<li>List of viable threats -- Viable is key here, because there could be an infinite number of possible threats.</li>
<li>List of prioritized mitigations done or planned</li>
<li>List of assumptions made</li>
</ul>
The questions you should ask yourself while threat modeling are:
<ul>
<li>What are you building?</li>
<li>What can go wrong?</li>
<li>What should you do about the things that can go wrong?</li>
<li>Did you do a decent job of analysis?</li>
</ul>
There are methods that can be used to come up with threats, for the second question:
<ul>
<li><a href="/notes/7e620b21-faff-4db5-b5d0-48f46bc86029">STRIDE</a></li>
<li>Abuser stories</li>
<li>Threat Lists (<a href="https://samate.nist.gov/BF/Enlightenment/CAPEC.html">CAPEC</a>)</li>
<li>Vulnerability Lists (<a href="https://owasp.org/www-project-top-ten/">OWASP Top 10</a> etc)</li>
</ul>
<hr>
Backlinks
<ul>
<li><a href="/notes/7e620b21-faff-4db5-b5d0-48f46bc86029">STRIDE</a></li>
</ul>

Threat Modeling


Hi! I'm Param! This is a place for my personal notes.

My website is https://param.codes, and I write more readable
stuff on my substack: https://newsletter.param.codes.

I've found that taking notes helps me remember things, and it's nice
to look back on information that you processed years ago. I jot down random things, there's no real structure, but some of these
notes could eventually become blog posts.

Some notes you might find interesting:

- [[history.laphams_quarterly.democracy.campaign_finance]]
- [[engineering.being_a_mentor]]
- [[history.china.dynasties]]
- [[history.india.indira_gandhi]]

I also keep notes on books I read [[here|books]].

This is built using [[Dendron|engineering.dendron]] and hosted using
[GitHub Pages](https://github.com/paramsingh/notes).

Get in touch via [Twitter](https://twitter.com/iliekcomputers) or email me at `me [at] param [dot] codes`!
