Question

Storing of threat models

  • 7 February 2024
  • 2 replies
  • 74 views

Badge +1

What is the best way to store and reuse the existing threat models.

Confluence , SCM …??


2 replies

Userlevel 1

Hey @amitsharma2009!

That’s a good question. There are various formats used de facto but are not really for storing threat models such as draw.io, MS-Visio or Lucidchart. But these are really diagram formats.

In the Open Source world it is possible to find Open Threat Model format (OTM), especifically tailored for storing Threat Models technology-agnostic in yaml file format. https://github.com/iriusrisk/OpenThreatModel

Furthermore, there is a Python open-source project called startleft (https://github.com/iriusrisk/startleft) that generates OTM files taking the mentioned diagram formats, even Terraform plan or Cloudformation files to generate threat models. Also MS-Threat Modeling tool can be converted to OTM.

The idea is to have OTM as common language no matter the source.

I hope this helps. Cheers

Userlevel 2

It probably depends what your goal is when you say “reusing the existing threat models”.  If your goal is to make the threat models available to others within your business so they can learn from or copy parts of them i.e. reuse, then you’ll want a central store that is easy for people to access.

I have used Confluence before for this (I’ve also used a shared Google Drive), but any central storage location with good search and is easy for your target audience to access should be fine.  I’m not sure an SCM would be as good (less discoverable, format of data might not be human friendly), but it depends on the format of your threat models.

Where ever you store it make sure any threat modelling documentation you have makes it clear where the threat models are stored, and focus on people being able to search on your Intranet and get hits for the storage location.

Reply


V2