I’m reposting my friend, François Proulx’s supply chain analysis because I believe it to provide an excellent example of a thorough threat model.
Yes, indeed, do read the post if you need to understand software supply security. But this analysis also demonstrates a couple of critical threat modelling methods:
- Cataloging the relevant attacks (often called a “threat library”)
- Analyzing how the attacks work, who the victim is, what the likely impact will be if compromised
- Identifying appropriate counter-measures, which may include defences, mitigations, monitoring, etc.
- Explaining in some detail how the analysis works
A #threat model isn’t its methods. I often hear people confuse method with model. There isn’t any STRIDE analysis (though this model makes effective use of attack trees). There’s only a single visual representation that might be called a data flow diagram (DFD) - and that is very loose. it’s more of a process flow. Neither of these are required to build a model (though they might very well help).
What is require is the sort of hard thinking I find in this analysis. I haven’t found that many articles where the author is willing to expose their thinking, how they’ve arrived at the output of the model. This article is a welcome exception.