Closed breezy2u closed 4 years ago
Hello @breezy2u , certainly you are not an idiot :-) because these are very good fundamental questions.
An SQL server may be represented by both a process and a data store, if both are part of the threat surface. A threat model is not a 1:1 correspondance to a system diagram - they are different perspectives on the same system, and they result in very different diagrams (usually).
There are various threat modellig resources that may help you - have you tried the Threat Modeling cheat sheet? https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
Also if you are an OWASP member then the OWASP slack channel #threat-modeling is a good forum
Hope this helps, Jon
Thank you! I will review the cheat sheet. I was able to find a sample web application threat model and I think it may have cleared up some things for me. I think I did a threat three a million years ago but I think I beered those brain cells.
On Wed, Sep 2, 2020 at 1:34 PM Jon Gadsden notifications@github.com wrote:
Hello @breezy2u https://github.com/breezy2u , certainly you are not an idiot :-) because these are very good fundamental questions.
An SQL server may be represented by both a process and a data store, if both are part of the threat surface. A threat model is not a 1:1 correspondance to a system diagram - they are different perspectives on the same system, and they result in very different diagrams (usually).
There are various threat modellig resources that may help you - have you tried the Threat Modeling cheat sheet?
https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
Also if you are an OWASP member then the OWASP slack channel
threat-modeling is a good forum
Hope this helps, Jon
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mike-goodwin/owasp-threat-dragon-desktop/issues/157#issuecomment-685921498, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHKPBSMYK27RPZEHB42UYKDSD2FZTANCNFSM4QTDGDMQ .
I'm having trouble understanding the difference between the objects in the application and how they relate to my system diagram. Are my SQL servers a process or a store? What about a windows server? Or a web server? Or an LDAP server? Am I just an idiot?