In the OWASP world, we have OWASP Threat Dragon, about to release version 1.1. The collaborative features allowed us to each see what the others were working on in real-time. We were able to build out a threat model quickly (based on a pre-created template) and work together on it from three different locations. One advantage of Miro is its remote collaboration capabilities. Note: None of us have any vested interest in Miro’s success other than we’re threat modeling people, and we want to figure out how to do this better remotely.
He concluded that Miro was an excellent option to begin working with to perform the drawing phase of threat modeling. You can use the drawing tool to help with the analysis of what can go wrong, but you’ll want to use a separate approach to track your threats, as the drawing tool does not do this natively.Īdam did an investigation and evaluated five different tools. You’ll consider how the assembly of your application, what the components are, and manage your threat modeling work. Drawing toolsĪ drawing tool allows you to create diagrams, get consensus around what you’re working on, and where the trust boundaries are. Drawing tools can be augmented to perform threat modeling remotely. They do tend to provide a remote angle, allowing collaboration as a primary feature. Drawing tools exist to create various types of pictures, not threat models precisely.
When choosing a tool, you have two options: drawing tools and threat modeling tools.
Successful remote threat modeling begins by choosing the right tool and approach and keeping collaboration top of mind. We’ve written extensively about threat modeling in the past, including “ Threat modeling: better caught than taught,” where we expound upon the approach of teaching threat modeling by doing. The question we pose is, how will we make progress on rolling out threat modeling when we can’t meet with people face to face and work directly on a whiteboard? If you’d like to hear the full conversation and see our attempt at remote threat modeling, you’ll find this episode on YouTube. We’re all living in this new world where we’re working from home. Adam Shostack joined Robert and me, and the topic was remote threat modeling. This post is a result of a conversation on the Application Security Podcast.
0 kommentar(er)
