1

I have threat modelled applications in the past, but I'd like to threat model a distributed system. However for other people I'm with, who have never done it at all, I'd like to check out some examples somewhere but I can't find any online.

Does anyone know of something like a resource where examples of modelled systems and the threats found might exist?

user109017
  • 11
  • 2
  • Could you say more about what you mean by 'distributed system'? – Adam Shostack Apr 28 '16 at 15:38
  • I am thinking of a number of connected computers all working together to achieve a common goal. Each of them will have different bits of data, of varying importances. – user109017 Apr 28 '16 at 21:18

2 Answers2

1

I would highly recommend Microsofts approach with the Threat Modeling Tool (https://www.microsoft.com/en-us/download/details.aspx?id=49168) it comes with some instructions and guidelines. Also consider playing some elevation of privilege (https://www.microsoft.com/en-us/SDL/adopt/eop.aspx) that gives some good insights into threat modeling.

To get/make an example, look through: http://holisticinfosec.blogspot.dk/2014/05/toolsmith-microsoft-threat-modeling.html it goes through some of the points in the 2014 version.

RLFP
  • 617
  • 5
  • 15
0

The lack of public examples is rough, but there are a few, and I've just kicked off a series to look at what's available and learn from them at https://adam.shostack.org/blog/2018/03/threat-model-thursday-synopsys/

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12