OWASP Threat Model Cookbook



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Threat Model Cookbook
This project is about creating and publishing threat model examples. They can be in the form of code, graphical or textual representations. The models will use diverse technologies, methodologies and techniques.

It is not a goal of the project to prescribe which methodologies to use but rather to collect examples. It will also not create content to educate people on threat modeling. Other OWASP projects such as Threat Modeling Project exists to that end.

Description
Currently the landscape of threat modeling is limited to a few books and methodologies that are widely accessible and in some cases open source. However, there's a lack of openly available content that is beyond just a blanket examples for existing methodologies. For instance, you could read a timeless awesome book, but the few complete examples the book is providing are outdated due to technology changing rapidly while threat model methodologies changes in a slower pace.

This project is scoped in such a way that the only outcomes of what we produce are examples. You could infer your own methodologies using examples as component for your own toolbox of techniques. You could also simply follow an prescriptive and well defined method and refer to this project deliverable to give you examples on similar techniques.

We also will have duplicate example of the same systems. Either using the same techniques, or different techniques. The reason for having the same technique but with multiple example is to show people that thread models by their nature will differ depending on the author. They should have recognizable components that allow a common language so viewers will understand the meaning, but like manuscript writing and hand drawing, the look will differ. Some will be ugly, but give an example of a quick solution, while other will look amazing and give you example of putting time into it. Perhaps you will judge that both gives the same results for you, thus choosing the quicker version. And for other people, they'll find that a detailed and more defined version will look better and encourage contribution. It's all up to you, browse the examples, try to comprehend them, and make your version. And if you can open source it, contribute!

Contributions will be accepted for any open source content that can follow our license. Note that most of the cases, it might be about made up systems that doesn't really exist, or system that exist but that people doesn't know the real internal architecture. So by definition, this project is not about giving you examples of good systems, but rather good threat model. A bad system being modeled here could actually give you a better example of how threat model can be useful to point out flaws.

Licensing
The written documents, diagrams and code of this project are free software. For code, you can redistribute it and/or modify it under the terms of the Apache 2.0 License and under CC-BY 3.0 License for the rest of diagrams and documents.

Roadmap
As of November, 2013, the highest priorities for the next 6 months are:
 * Get other people to review the Documentation Project Template and provide feedback
 * Incorporate feedback into changes in the Documentation Project Template
 * Finalize the Documentation Project template and have it reviewed to be promoted from an Incubator Project to a Lab Project

Subsequent Updates will add
 * Reorganization of the repository structure to reflect current goals
 * Self documentation in the repository about the ways of working
 * Adding more starting model examples
 * Getting GitHub PRs from contributors to add more examples
 * Getting GitHub issues to give feedback on examples to contributors

Getting Involved
Involvement in the development and promotion of Documentation Project Template is actively encouraged! You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

Project Resources
GitHub

Twitter

Slack

Project Leaders
Tash Norris

Jonathan Marcil

Related Projects

 * OWASP_Threat_Model_Project
 * OWASP_Threat_Dragon
 * Threat_Modeling_Cheat_Sheet

Classifications

 * }