Components Security Templates ThreatModeling - DevClusterAI/DOD-definition GitHub Wiki
Threat Modeling Template
Project Information
Project Name: [Project Name]
Version/Release: [Version]
Date: [YYYY-MM-DD]
Participants: [Names/Roles of participants]
Facilitator: [Name/Role]
System Overview
System Description
[Provide a brief description of the system/application being analyzed]
Business Objectives
[List the primary business objectives this system fulfills]
Data Flow Diagram (DFD)
[Include or reference a data flow diagram showing components, data flows, trust boundaries]
Assets and Trust Boundaries
Key Assets
| Asset |
Description |
Classification |
Owner |
| [Asset 1] |
[Description] |
[Critical/Sensitive/Public] |
[Role/Team] |
| [Asset 2] |
[Description] |
[Critical/Sensitive/Public] |
[Role/Team] |
| [Asset 3] |
[Description] |
[Critical/Sensitive/Public] |
[Role/Team] |
Trust Boundaries
| Boundary |
Description |
Systems/Components Within |
| [Boundary 1] |
[Description] |
[List of components] |
| [Boundary 2] |
[Description] |
[List of components] |
| [Boundary 3] |
[Description] |
[List of components] |
Threat Identification (STRIDE)
Component 1: [Component Name]
| Threat Type |
Threat Scenario |
Likelihood |
Impact |
Risk Rating |
| Spoofing |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Tampering |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Repudiation |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Information Disclosure |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Denial of Service |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Elevation of Privilege |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
Component 2: [Component Name]
| Threat Type |
Threat Scenario |
Likelihood |
Impact |
Risk Rating |
| Spoofing |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Tampering |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Repudiation |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Information Disclosure |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Denial of Service |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Elevation of Privilege |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
Data Flow 1: [Flow Description]
| Threat Type |
Threat Scenario |
Likelihood |
Impact |
Risk Rating |
| Spoofing |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Tampering |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Repudiation |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Information Disclosure |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Denial of Service |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
| Elevation of Privilege |
[Description] |
[High/Medium/Low] |
[High/Medium/Low] |
[Critical/High/Medium/Low] |
Mitigations
| Threat ID |
Component/Flow |
Threat |
Mitigation |
Status |
Owner |
Priority |
| [ID-1] |
[Component/Flow] |
[Brief threat] |
[Description of countermeasure] |
[Not Started/In Progress/Completed] |
[Role/Team] |
[High/Medium/Low] |
| [ID-2] |
[Component/Flow] |
[Brief threat] |
[Description of countermeasure] |
[Not Started/In Progress/Completed] |
[Role/Team] |
[High/Medium/Low] |
| [ID-3] |
[Component/Flow] |
[Brief threat] |
[Description of countermeasure] |
[Not Started/In Progress/Completed] |
[Role/Team] |
[High/Medium/Low] |
Attack Surface Reduction
| Component/Area |
Current Attack Surface |
Recommendation |
Benefit |
| [Component] |
[Description] |
[Recommendation] |
[Expected benefit] |
| [Component] |
[Description] |
[Recommendation] |
[Expected benefit] |
| [Component] |
[Description] |
[Recommendation] |
[Expected benefit] |
Risk Acceptance
| Threat ID |
Risk Description |
Justification |
Accepted By |
Expiration/Review Date |
| [ID-1] |
[Description] |
[Justification] |
[Name/Role] |
[YYYY-MM-DD] |
| [ID-2] |
[Description] |
[Justification] |
[Name/Role] |
[YYYY-MM-DD] |
Security Requirements
| Requirement ID |
Requirement |
Associated Threats |
Verification Method |
| [REQ-1] |
[Description] |
[List of threat IDs] |
[Description] |
| [REQ-2] |
[Description] |
[List of threat IDs] |
[Description] |
| [REQ-3] |
[Description] |
[List of threat IDs] |
[Description] |
Threat Modeling Assumptions
- [Assumption 1]
- [Assumption 2]
- [Assumption 3]
Next Steps and Action Items
| Action Item |
Owner |
Due Date |
Status |
| [Description] |
[Name/Role] |
[YYYY-MM-DD] |
[Not Started/In Progress/Completed] |
| [Description] |
[Name/Role] |
[YYYY-MM-DD] |
[Not Started/In Progress/Completed] |
| [Description] |
[Name/Role] |
[YYYY-MM-DD] |
[Not Started/In Progress/Completed] |
Appendices
Glossary
[List of terms and definitions]
References
[List of reference materials]
Tools Used
[List tools used for threat modeling]
Approval
Threat Model Prepared By: [Name, Role]
Date: [YYYY-MM-DD]
Approved By: [Name, Role]
Date: [YYYY-MM-DD]