Threat modelling links
- An introduction to approachable threat modeling: One of favourite articles on this topic in quite awhile. It boils it down using an architecture diagram and understanding use flows and considers principals (who are the users (people, or other programs)), goals (what does the system do), adversities (what bad things can happen), and invariants (what always needs to be true about the system so that it can make progress)
- NIST 800-123 Guide to Server Hardening
- Threat and Risk Assessment: A process of identifying system assets and how these assets can be compromised, assessing the level of risk that threats pose to assets, and recommending security measures to mitigate threats.
- TRA Methodology: There are several frameworks for carrying these out. This one is from the government of Canada.
- TRA Overview from the SANS institute
I saved the pdf above from SANS here for posterity …