Approach to threat models

There is no scientific approach to a threat model. One can define their own threat model, which will broadly look at two contexts. One is the security controls that have been implemented while staying in line with the requirements and policy, and the other is the potential attacks that might affect an asset in a threat model.

In general, there are three approaches to a threat model:

  • Software-centric: This approach is also known as architecture-centric, system-centric or design-centric. It always starts from the design of the system and involves the complete data flow diagrams (DFDs), including the elements and different components, and it looks for different types of attacks against each of them.
  • Asset-centric: The asset-centric ...

Get Mobile Application Penetration Testing now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.