FFRI, Inc., profile picture
Uploaded byFFRI, Inc.
1,685 views

An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)

The document discusses the use of threat modeling tools, particularly focusing on the Microsoft Threat Modeling Tool for analyzing a general network camera system. It highlights the benefits of using these tools, such as automating threat identification and improving analysis efficiency through templates. Additionally, it provides insights into the threats identified and emphasizes the importance of confirming the feasibility of detected threats.

Technology
Related topics:
Information Security

Embed presentation

Downloaded 28 times
FFRI,Inc. 1 An Example of use the Threat Modeling Tool FFRI, Inc. http://www.ffri.jp/en/E-Mail: research-feedback[at]ffri.jp Twitter: @FFRI_Research Monthly Research 2016.11
FFRI,Inc. 2 Agenda • About threat analysis support tool • Examples of tools • Analysis target system • Analysis result – How to read result – Overview of threats • Effective usage – About template – Additional definition of threat information • Conclusions • References
FFRI,Inc. 3 About threat analysis support tool • There are various analysis support tools. – DFD drawing, automated threat identification – Benefits of tools • Reduce analysis time by automatically identifying threats and generating a report • Possibility to discover potential threats you could not find • Reducing dependency on individual skills – The same analysis result can be obtained for the same input data.
FFRI,Inc. 4 Examples of tools • Microsoft Threat Modeling Tool – DFD creation, tool to derive threats automatically from DFD • TRIKE – DFD creation, drawing tool including security requirements • SeaMonster – Attack tree and misuse case drawing tool • A misuse case is an unintended operation. • SecurITree – Attack tree creation tool • In this report, we explain an example of use the Microsoft Threat Modeling Tool 2016.
FFRI,Inc. 5 Analysis target system • The target is a general network camera system. • The figure below is a DFD created using the tool. – Add elements and data flow of the system to design view.
FFRI,Inc. 6 Analysis result - How to read result • The analysis result can be confirmed on the analysis view. – A threat list contains properties and outline of threats. • It is necessary to check whether the found threats actually. – Example: The web server could be a subject to a cross-site scripting attack because it does not sanitize untrusted input. » The above threat does not exist on a page without input form. – It is possible to describe priority and countermeasure for each threat. • The priority is setting to 'high' by default, user should change it. • It is useful for sharing status with multiple analysts.
FFRI,Inc. 7 Analysis result - Overview of threats • 47 threats were pointed out in the system. – Spoofing 10 cases – Tampering 8 cases – Repudiation 4 cases – Information Disclosure 3 cases – Denial of Service 12 cases – Elevation of privilege 10 cases • Many threats are related to web server. – Many categories of threats have been found there. • The descriptions of the threat are general. – If a threat information is insufficient, user should add information.
FFRI,Inc. 8 Effective usage - About template • What you can do by adding templates. – You can apply any picture to elements to make nice- looking DFD. – You can add threat information defined yourself. • The following figure shows an entry screen when creating a template.
FFRI,Inc. 9 Effective usage - Additional definition of threat information • Analysis efficiency will be improved by templates. – More extended analysis becomes possible by adding templates of threat information. – Template example • Title: Unauthorized access with default password. • Include: target is [Web Service] • Description: If you do not change the default password, attackers may compromise the system.
FFRI,Inc. 10 Conclusions • Pros – It can be used easily because threats will be listed automatically from a DFD. – It helps secure system design. – You can share threats information and priority with your team. • Cons – Threats that do not exist may be false detected. • You should confirm the feasibility of analyzed threats.
FFRI,Inc. 11 References • Threat Modeling – http://threatmodelingbook.com/index.html • SDL Threat Modeling Tool – https://www.microsoft.com/en- us/download/details.aspx?id=49168 • Microsofts New Threat Modeling Tool – https://blog.secodis.com/2016/07/06/microsofts-new-threat- modeling-tool/ • TRIKE – http://octotrike.org/ • SeaMonster – https://sourceforge.net/projects/seamonster/?source=navbar • SecuriTree – http://www.amenaza.com/

More Related Content

PDF
Threat Modelling
byn|u - The Open Security Community
 
PDF
Microsoft threat modeling tool 2016
byRihab Chebbah
 
PPTX
Threat modelling with_sample_application
byUmut IŞIK
 
PDF
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
byFFRI, Inc.
 
PDF
Attack modeling vs threat modelling
byInvisibits
 
PPT
STRIDE And DREAD
bychuckbt
 
PPTX
Threat Modeling And Analysis
byLalit Kale
 
PPTX
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
Threat Modelling
byn|u - The Open Security Community
 
Microsoft threat modeling tool 2016
byRihab Chebbah
 
Threat modelling with_sample_application
byUmut IŞIK
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
byFFRI, Inc.
 
Attack modeling vs threat modelling
byInvisibits
 
STRIDE And DREAD
bychuckbt
 
Threat Modeling And Analysis
byLalit Kale
 
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 

What's hot

PDF
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
byFFRI, Inc.
 
PPT
Mobile application security and threat modeling
byShantanu Mitra
 
PPTX
DevSecCon Talk: An experiment in agile Threat Modelling
byzeroXten
 
PDF
Threat Modeling: Best Practices
bySource Conference
 
PPTX
7 Steps to Threat Modeling
byDanny Wong
 
PPT
Application Threat Modeling
byMarco Morana
 
PPTX
Application Threat Modeling
byRochester Security Summit
 
PDF
Threats, Threat Modeling and Analysis
byIan G
 
PDF
Null bachav
byNaga Venkata Sunil Alamuri
 
PPTX
Microsoft threat modeling tool 2016
byKannan Ganapathy
 
PPTX
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
PPTX
MITRE ATT&CK framework
byBhushan Gurav
 
PDF
Threat Modeling Everything
byAnne Oikarinen
 
PDF
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
PDF
Introduction to Threat Modeling
byInMobi Technology
 
PPT
Web Application Security
byAbdul Wahid
 
PPTX
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
PDF
Developing a Threat Modeling Mindset
byRobert Hurlbut
 
PPTX
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
PPTX
Security Training: #4 Development: Typical Security Issues
byYulian Slobodyan
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
byFFRI, Inc.
 
Mobile application security and threat modeling
byShantanu Mitra
 
DevSecCon Talk: An experiment in agile Threat Modelling
byzeroXten
 
Threat Modeling: Best Practices
bySource Conference
 
7 Steps to Threat Modeling
byDanny Wong
 
Application Threat Modeling
byMarco Morana
 
Application Threat Modeling
byRochester Security Summit
 
Threats, Threat Modeling and Analysis
byIan G
 
Null bachav
byNaga Venkata Sunil Alamuri
 
Microsoft threat modeling tool 2016
byKannan Ganapathy
 
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
MITRE ATT&CK framework
byBhushan Gurav
 
Threat Modeling Everything
byAnne Oikarinen
 
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
Introduction to Threat Modeling
byInMobi Technology
 
Web Application Security
byAbdul Wahid
 
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
Developing a Threat Modeling Mindset
byRobert Hurlbut
 
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
Security Training: #4 Development: Typical Security Issues
byYulian Slobodyan
 

Viewers also liked

PDF
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
byFFRI, Inc.
 
PDF
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
byFFRI, Inc.
 
PPTX
Security Best Practices
byClint Edmonson
 
PPT
Imrt Treatment Planning And Dosimetry
byfondas vakalis
 
PDF
Intensity Modulated Radiation Therapy (IMRT)
byDilshad KP
 
PPTX
Revit and Building Information Modeling (BIM) Presentation
byryanabarton
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
byFFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
byFFRI, Inc.
 
Security Best Practices
byClint Edmonson
 
Imrt Treatment Planning And Dosimetry
byfondas vakalis
 
Intensity Modulated Radiation Therapy (IMRT)
byDilshad KP
 
Revit and Building Information Modeling (BIM) Presentation
byryanabarton
 

Similar to An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)

PDF
ch_2_Threat_Modeling_Risk_assessment.pdf
bygajendra903637
 
PDF
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
PDF
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
byMITRE - ATT&CKcon
 
PDF
Why Is Threat Intelligence the Key to Effective Pentesting and Red Teaming
bySOCRadar
 
PPTX
Operational Security Intelligence
bySplunk
 
PDF
Telesoft Cyber Threat Hunting Infographic
bySarah Chandley
 
PPTX
Cypha.io - Service Overview
bycypha
 
PPTX
My Keynote from BSidesTampa 2015 (video in description)
byAndrew Case
 
PDF
A handbook of the threat intelligence tools your company needs
bySecuraa
 
PDF
[Bucharest] Attack is easy, let's talk defence
byOWASP EEE
 
PPTX
Threat Intelligence (CTI) Blue Teams.pptx
byPhongTrn639136
 
PPTX
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
byCloudera, Inc.
 
PDF
CymruSec 2025 - Wales' Inaugural Cyber Summit
byRay Bugg
 
PDF
Leveraging Machine Learning for Proactive Threat Analysis in Cybersecurity
byEditor IJCATR
 
PDF
Irene Michlin. Old Pareto had a chart: getting 80% benefits of threat modelli...
byIT Arena
 
PDF
The Golden Rules - Detecting more with RSA Security Analytics
byDemetrio Milea
 
PDF
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
byJames Perry, Jr.
 
PPTX
Cyber Week 8.pptx.......................
bysalmannawaz6566504
 
PPTX
Malware Analysis
byRamin Farajpour Cami
 
PPTX
Cyber threat-hunting---part-2-25062021-095909pm
byMuhammadJalalShah1
 
ch_2_Threat_Modeling_Risk_assessment.pdf
bygajendra903637
 
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
byMITRE - ATT&CKcon
 
Why Is Threat Intelligence the Key to Effective Pentesting and Red Teaming
bySOCRadar
 
Operational Security Intelligence
bySplunk
 
Telesoft Cyber Threat Hunting Infographic
bySarah Chandley
 
Cypha.io - Service Overview
bycypha
 
My Keynote from BSidesTampa 2015 (video in description)
byAndrew Case
 
A handbook of the threat intelligence tools your company needs
bySecuraa
 
[Bucharest] Attack is easy, let's talk defence
byOWASP EEE
 
Threat Intelligence (CTI) Blue Teams.pptx
byPhongTrn639136
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
byCloudera, Inc.
 
CymruSec 2025 - Wales' Inaugural Cyber Summit
byRay Bugg
 
Leveraging Machine Learning for Proactive Threat Analysis in Cybersecurity
byEditor IJCATR
 
Irene Michlin. Old Pareto had a chart: getting 80% benefits of threat modelli...
byIT Arena
 
The Golden Rules - Detecting more with RSA Security Analytics
byDemetrio Milea
 
NetSecurity_ThreatResponder(r)_Capability_Brief_021116_Rev0
byJames Perry, Jr.
 
Cyber Week 8.pptx.......................
bysalmannawaz6566504
 
Malware Analysis
byRamin Farajpour Cami
 
Cyber threat-hunting---part-2-25062021-095909pm
byMuhammadJalalShah1
 

More from FFRI, Inc.

PDF
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
byFFRI, Inc.
 
PDF
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
byFFRI, Inc.
 
PDF
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
byFFRI, Inc.
 
PDF
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
byFFRI, Inc.
 
PDF
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
byFFRI, Inc.
 
PDF
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
byFFRI, Inc.
 
PDF
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
byFFRI, Inc.
 
PDF
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
byFFRI, Inc.
 
PDF
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
byFFRI, Inc.
 
PDF
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
byFFRI, Inc.
 
PDF
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
byFFRI, Inc.
 
PDF
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
byFFRI, Inc.
 
PDF
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
byFFRI, Inc.
 
PDF
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
byFFRI, Inc.
 
PDF
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
byFFRI, Inc.
 
PDF
Malwarem armed with PowerShell
byFFRI, Inc.
 
PDF
MR201504 Web Defacing Attacks Targeting WordPress
byFFRI, Inc.
 
PDF
MR201502 Intel Memory Protection Extensions Overview
byFFRI, Inc.
 
PDF
MR201501 Latest trends in Linux Malware
byFFRI, Inc.
 
PDF
MR201412 Windows New Security Features - Control Flow Guard
byFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
byFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
byFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
byFFRI, Inc.
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
byFFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
byFFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
byFFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
byFFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
byFFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
byFFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
byFFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
byFFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
byFFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
byFFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
byFFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
byFFRI, Inc.
 
Malwarem armed with PowerShell
byFFRI, Inc.
 
MR201504 Web Defacing Attacks Targeting WordPress
byFFRI, Inc.
 
MR201502 Intel Memory Protection Extensions Overview
byFFRI, Inc.
 
MR201501 Latest trends in Linux Malware
byFFRI, Inc.
 
MR201412 Windows New Security Features - Control Flow Guard
byFFRI, Inc.
 

Recently uploaded

PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 

An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)

  • 1.
    FFRI,Inc. 1 An Example ofuse the Threat Modeling Tool FFRI, Inc. http://www.ffri.jp/en/E-Mail: research-feedback[at]ffri.jp Twitter: @FFRI_Research Monthly Research 2016.11
  • 2.
    FFRI,Inc. 2 Agenda • About threatanalysis support tool • Examples of tools • Analysis target system • Analysis result – How to read result – Overview of threats • Effective usage – About template – Additional definition of threat information • Conclusions • References
  • 3.
    FFRI,Inc. 3 About threat analysissupport tool • There are various analysis support tools. – DFD drawing, automated threat identification – Benefits of tools • Reduce analysis time by automatically identifying threats and generating a report • Possibility to discover potential threats you could not find • Reducing dependency on individual skills – The same analysis result can be obtained for the same input data.
  • 4.
    FFRI,Inc. 4 Examples of tools •Microsoft Threat Modeling Tool – DFD creation, tool to derive threats automatically from DFD • TRIKE – DFD creation, drawing tool including security requirements • SeaMonster – Attack tree and misuse case drawing tool • A misuse case is an unintended operation. • SecurITree – Attack tree creation tool • In this report, we explain an example of use the Microsoft Threat Modeling Tool 2016.
  • 5.
    FFRI,Inc. 5 Analysis target system •The target is a general network camera system. • The figure below is a DFD created using the tool. – Add elements and data flow of the system to design view.
  • 6.
    FFRI,Inc. 6 Analysis result -How to read result • The analysis result can be confirmed on the analysis view. – A threat list contains properties and outline of threats. • It is necessary to check whether the found threats actually. – Example: The web server could be a subject to a cross-site scripting attack because it does not sanitize untrusted input. » The above threat does not exist on a page without input form. – It is possible to describe priority and countermeasure for each threat. • The priority is setting to 'high' by default, user should change it. • It is useful for sharing status with multiple analysts.
  • 7.
    FFRI,Inc. 7 Analysis result -Overview of threats • 47 threats were pointed out in the system. – Spoofing 10 cases – Tampering 8 cases – Repudiation 4 cases – Information Disclosure 3 cases – Denial of Service 12 cases – Elevation of privilege 10 cases • Many threats are related to web server. – Many categories of threats have been found there. • The descriptions of the threat are general. – If a threat information is insufficient, user should add information.
  • 8.
    FFRI,Inc. 8 Effective usage -About template • What you can do by adding templates. – You can apply any picture to elements to make nice- looking DFD. – You can add threat information defined yourself. • The following figure shows an entry screen when creating a template.
  • 9.
    FFRI,Inc. 9 Effective usage -Additional definition of threat information • Analysis efficiency will be improved by templates. – More extended analysis becomes possible by adding templates of threat information. – Template example • Title: Unauthorized access with default password. • Include: target is [Web Service] • Description: If you do not change the default password, attackers may compromise the system.
  • 10.
    FFRI,Inc. 10 Conclusions • Pros – Itcan be used easily because threats will be listed automatically from a DFD. – It helps secure system design. – You can share threats information and priority with your team. • Cons – Threats that do not exist may be false detected. • You should confirm the feasibility of analyzed threats.
  • 11.
    FFRI,Inc. 11 References • Threat Modeling –http://threatmodelingbook.com/index.html • SDL Threat Modeling Tool – https://www.microsoft.com/en- us/download/details.aspx?id=49168 • Microsofts New Threat Modeling Tool – https://blog.secodis.com/2016/07/06/microsofts-new-threat- modeling-tool/ • TRIKE – http://octotrike.org/ • SeaMonster – https://sourceforge.net/projects/seamonster/?source=navbar • SecuriTree – http://www.amenaza.com/