This activity is an opportunity to learn how to adopt threat modelling and what a session might look like, using Richard Adams’s card game. The goal is to show you how Threat Modelling works and also that threat modelling isn't for security engineers or lead developers. If anything, the tester mindset gives us the advantage. 

Instructions:

1. Download the “Threat Model” and “Threat Modelling Table” handouts that accompany this activity.

2. Go through each of the “Threat Agent” entries in the “Threat Modelling” table and identify a type of attack that might be carried out for each one.

For example, for Denial of Service, we could suggest that a DDOS attack in which a Web API is flooded with requests might be an attack to be concerned about.

Tip: Find resources online or discuss with one another what each of the threat types are and what types of attacks might be connected to them.

Wrap-up:

This activity shows how creating a model of a system and then applying the STRIDE mindset, can help us pick out potential threats. As testers we’re good at identifying risks and that skillset comes in handy when assessing for security threats, even if you might not know how to execute them.

What you’ll learn

This activity requires that you download the following documents:

• Threat Modelling Table
• Threat Model Diagram

• Context Driven Security - Bill Matthews - https://bit.ly/mot-sec-1 

• Threat Modelling - Saskia Coplans - https://bit.ly/mot-sec-2 

• Security Testing Discussion - https://bit.ly/mot-sec-3  

• OWASP STRIDE reference sheet - https://bit.ly/mot-sec-4