Threat Modeling for Web Applications

Security World has released a paper on Threat Modeling for Web Applications using the STRIDE Model. If you are new to threat modeling, it has some good information.

I think this paper is a bit weak in the fact it doesn't do a good job showing how to PRACTICALLY do threat modeling end to end. Threat modeling is MORE than simply STRIDE. It starts with determining what assets of interest are there for an adversary to take (remember a threat cannot exist unless there is at least one asset of interest for an adversary). It then goes into modeling the application which includes data flow diagrams (my latest passion as part of threat modeling) and then goes into building a threat profile that allows you to classify the threats with STRIDE. Once you have classified the threats, you can finally build a threat tree to find what and how things can be mitigated.

As you can see, STRIDE is a SMALL part of that. A better resource if you want to learn about threat modeling would be to get Frank Swiderski's book on the subject. Back in August I wrote a book review about it, which you can read here.