Systematically listing all the potential ways one can attack an application
You look at the application at a whole
- Systematically: repeatable process. Repeatable and consistent process
- Attack: Look for what can be abused or attacked
- Probably threat scenarios && list of threats
- Weakness - software defect or bug
- Vulnerability - Weakness that can be exploited
- Email address field can be abused to inset SQL Statement
- Target
- Attack Vector= path attacker takes to the vulnerablility
- Threat actor = spammer/the one doing the malicious work
- Attack surface = anything that can be obtained, used, or attacked by a threat actor
Risk = Impact * Likelihood
"By failing to prepare, you are preparing to fail" - benjamin franklin
- Pro-active approach - Security up front instead of bolting it on afterwards
- Efficient - ounce of provention = a pound of cure
- Prioritize Bugs - get things fixed fast
- Better understanding - everyone benefits from threat modeling
"If you don't know what to protect, how do you know you're protecting it?" - Kurt Haase
Assets can be a database, etc