Clone of https://github.com/rmusser01/Infosec_Reference . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

65 lines
5.0 KiB

3 years ago
4 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
4 years ago
  1. # Threat Modeling & Risk Assessment
  2. ## Table of Contents
  3. - []()
  4. - []()
  5. - []()
  6. - []()
  7. Threat Modeling
  8. * Threat Modeling Book
  9. * OWASP App Threat Modeling
  10. * Evil User Stories
  11. * OWASP ASVS
  12. * Mozilla Rapid Risk Assessment
  13. * https://www.turnkeyconsulting.com/information-security-risk-assessment
  14. * https://www.isaca.org/Journal/archives/2010/Volume-1/Pages/Performing-a-Security-Risk-Assessment1.aspx
  15. * [Application Threat Modeling using DREAD and STRIDE - Haider Mahmood](https://haiderm.com/application-threat-modeling-using-dread-and-stride/)
  16. * [Dark Matter and Measuring Security - Crispin Cowan](https://www.leviathansecurity.com/blog/dark-matter-and-measuring-security)
  17. https://web.archive.org/web/20141118061526/http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf
  18. * [ThreatPlaybook](https://github.com/we45/ThreatPlaybook)
  19. * A unified DevSecOps Framework that allows you to go from iterative, collaborative Threat Modeling to Application Security Test Orchestration
  20. * [Homepage](https://we45.gitbook.io/threatplaybook/)
  21. * [Threat Modeling: 12 Available Methods - Nataliya Shevchenko](https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html)
  22. * [Draw.io for threat modeling - Michael Henriksen](https://michenriksen.com/blog/drawio-for-threat-modeling/)
  23. https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
  24. * [The Security Principles of Saltzer and Schroeder - Adam Shostack & Friends](https://adam.shostack.org/blog/the-security-principles-of-saltzer-and-schroeder/)
  25. * [Towards Improving CVSS - J.M. Spring, E. Hatleback, A. Householder, A. Manion, D. Shick - CMU](https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_538372.pdf)
  26. http://plantuml.com/
  27. ----------------------------------
  28. ### Threat Modeling
  29. * **Articles/Papers/Writeups**
  30. * [Statement for the Record Worldwide Threat Assessment of the US Intelligence Community Senate Select Committee on Intelligence](https://www.dni.gov/files/documents/Newsroom/Testimonies/SSCI%20Unclassified%20SFR%20-%20Final.pdf)
  31. * [Why your threat model is probably wrong - Cyberwar](http://blog.thinkst.com/p/cyberwar-why-your-threat-model-is.html)
  32. * [7 Steps to Threat Modeling](https://www.slideshare.net/chinwhei/7-steps-to-threat-modeling)
  33. * **Talks & Presentations**
  34. * [The Triple A Threat: Aggressive Autonomous Agents - the grugq](http://grugq.github.io/presentations/comae-blackhat-year-of-the-worm.pdf)
  35. * [A Hacker's Guide to Risk](https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Bruce-Potter-Hackers-Guide-to-Risk.pdf)
  36. * [Global Adversarial Capability Modeling](https://www.youtube.com/watch?v=56T3JN09SrY#t=41)
  37. * [Adam Shostack - Pentesting: Lessons from Star Wars](https://www.youtube.com/watch?v=BfWWryF8M7E&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe&index=13)
  38. * Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven’t panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It’s designed to help security pros, especially pen testers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively on offense or defense.
  39. * [Threat Modeling - Jim DelGrosso](https://www.somersetrecon.com/blog/2018/7/27/infecting-the-embedded-supply-chain)
  40. * [Threat Modeling 101 - Dan Tentler](https://www.youtube.com/watch?v=wu8SDWao_Ns)
  41. * **Threat Modeling Methodologies**
  42. * **OCTAVE**
  43. * **PASTA**
  44. * **STRIDE**
  45. * [STRIDE (security) - Wikipedia](https://en.wikipedia.org/wiki/STRIDE_(security))
  46. * STRIDE is a model of threats developed by Praerit Garg and Loren Kohnfelder at Microsoft for identifying computer security threats. It provides a mnemonic for security threats in six categories.
  47. * [Guerrilla Threat Modelling (or 'Threat Modeling' if you're American)](http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx)
  48. * **TRIKE**
  49. * **VAST**
  50. * **Tools**
  51. * [seasponge - Mozilla Project](https://github.com/mozilla/seasponge)
  52. * Accessible and client-side threat modeling tool
  53. * [GIFs demonstrating usage](https://github.com/mozilla/seasponge/wiki/usage)[On Comparing Threat Intelligence Feeds](http://blogs.gartner.com/anton-chuvakin/2014/01/07/on-comparing-threat-intelligence-feeds/)
  54. * [ThreadFix](https://github.com/denimgroup/threadfix)
  55. * ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.
  56. * [ThreadFix](https://github.com/denimgroup/threadfix)
  57. * ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.