search

mike-goodwin / owasp-threat-dragon-desktop

An installable desktop variant of OWASP Threat Dragon
Apache License 2.0
594 stars 90 forks source link

Newby to Threat Diagrams #157

Closed breezy2u closed 4 years ago

breezy2u commented 4 years ago

I'm having trouble understanding the difference between the objects in the application and how they relate to my system diagram. Are my SQL servers a process or a store? What about a windows server? Or a web server? Or an LDAP server? Am I just an idiot?

jgadsden commented 4 years ago

Hello @breezy2u , certainly you are not an idiot :-) because these are very good fundamental questions.

An SQL server may be represented by both a process and a data store, if both are part of the threat surface. A threat model is not a 1:1 correspondance to a system diagram - they are different perspectives on the same system, and they result in very different diagrams (usually).

There are various threat modellig resources that may help you - have you tried the Threat Modeling cheat sheet? https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html

Also if you are an OWASP member then the OWASP slack channel #threat-modeling is a good forum

Hope this helps, Jon

breezy2u commented 4 years ago

Thank you! I will review the cheat sheet. I was able to find a sample web application threat model and I think it may have cleared up some things for me. I think I did a threat three a million years ago but I think I beered those brain cells.

On Wed, Sep 2, 2020 at 1:34 PM Jon Gadsden notifications@github.com wrote:

Hello @breezy2u https://github.com/breezy2u , certainly you are not an idiot :-) because these are very good fundamental questions.

An SQL server may be represented by both a process and a data store, if both are part of the threat surface. A threat model is not a 1:1 correspondance to a system diagram - they are different perspectives on the same system, and they result in very different diagrams (usually).

There are various threat modellig resources that may help you - have you tried the Threat Modeling cheat sheet?

https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html

Also if you are an OWASP member then the OWASP slack channel

threat-modeling is a good forum

Hope this helps, Jon

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mike-goodwin/owasp-threat-dragon-desktop/issues/157#issuecomment-685921498, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHKPBSMYK27RPZEHB42UYKDSD2FZTANCNFSM4QTDGDMQ .