Written by Laurent Dupont

Making Threat Modeling Accessible: Top 10 Tools and Resources for Practitioners

As the editor of the Threat Modeling Insider (TMI) newsletter, I’ve had the privilege of curating and sharing valuable insights with our growing community over the years. I’m Seba Deleersnyder, and today I’m excited to bring together 10 of the most impactful threat modeling tips and resources that have resonated most strongly with our readers.

Threat modeling can feel overwhelming, especially when you’re staring at a blank canvas wondering where to start. I’ve been there myself, and that’s exactly why I’m passionate about TMI – to help security professionals like you transform threat modeling from a daunting task into an integrated part of your development or threat modeling process.

1. Data Flow Diagram Template for Miro

Featured in TMI #39

One of the most common challenges I hear about is getting started with that blank whiteboard. That’s why we created a comprehensive data flow diagram template for Miro. Getting started is straightforward:

Access the template in Miroverse
Click “Copy Template” to add it to your workspace
Begin building your diagram using our pre-made components

We’ve also created a quick-start guide on YouTube to provide a visual walkthrough of the template’s features and usage.

2. User Story Integration Guidelines

Featured in TMI #16

From my experience working with agile teams, I’ve found that knowing when to update your threat model based on new user stories is crucial. I recommend updating your threat model when user stories involve:

New functionality
Changes to business logic
Modifications to security controls or dependencies
Extensions to existing functionality (evaluate case by case)

This integration works best when risk analysis is performed during refinement meetings, ensuring security considerations are incorporated into sprint planning.

3. Continuous Threat Modeling (CTM)

Featured in TMI #11

I’ve been particularly impressed by Autodesk’s CTM methodology created by Izar Tarandach. It enables development teams to perform threat modeling with minimal initial security knowledge – something I believe is crucial for the wider adoption of these practices. For an excellent overview of how Autodesk implements this approach, check out Izar’s presentation on “Threat Modeling Every Story: Practical Continuous Threat Modeling For Your Team”.

4. STRIDE in Real World Contexts

Featured in TMI #15

One of my favorite examples of practical STRIDE application comes from Miguel Llamazares’s creative analysis of hotel minibar security. It perfectly demonstrates how to:

Apply security principles to everyday systems
Consider both technical and business perspectives
Identify various threat categories in familiar contexts

This creative approach helps make security principles more relatable and easier to understand.

5. Online Elevation of Privilege (EoP) Game

Featured in TMI #16

The shift to remote work has changed how we collaborate, and I’m excited to share Fraser Scott’s online adaptation of the EoP game. This virtual version maintains the educational value while making it accessible to distributed teams who need to collaborate asynchronously.

6. Security Engineering Resource

Featured in TMI #34

I was deeply saddened by Ross Anderson’s recent passing. His “Security Engineering” book has been instrumental in my own journey, and the third edition remains one of the most comprehensive resources in our field. The book’s 29 chapters cover everything from access control to tamper resistance, and his accompanying 15-lecture video series, available on the same webpage, is a must-watch for any security professional.

7. Moving Beyond DREAD

Featured in TMI #11

Throughout my career, I’ve seen the industry evolve beyond the DREAD model. I strongly recommend focusing on current methodologies that better align with today’s security landscape. Modern threat modeling approaches offer more nuanced and effective ways to evaluate and prioritize security risks.

8. Threat Modeling Connect Community

Featured in TMI #20

I’m proud to recommend Threat Modeling Connect, launched in November 2022. It’s become a vibrant space where practitioners can openly discuss challenges, share experiences, and shape the future of threat modeling together. The community’s mission is to make threat modeling a standard practice in the software development life cycle and beyond.

9. OWASP Slack Channel

Featured in TMI #2

I’ve seen the OWASP Threat Modeling channel grow into one of our industry’s most vibrant communities. Led by project leaders including my colleague Steven Wierckx, who leads the OWASP Threat Model Project, it’s become an invaluable resource for:

Direct access to experienced practitioners
Real-time discussion of threat modeling challenges
Community support for implementation questions

New to OWASP Slack? You can join the community here.

10. O'Reilly Training Resources

Featured in TMI #36

A recent addition to our recommended resources is the comprehensive O’Reilly video course on threat modeling fundamentals. Through hands-on exercises and practical applications, it guides you through essential concepts and techniques refined over years of practice in the field. You can access it now on the O’Reilly learning platform with a 10-day free trial.

Moving Forward

Throughout my years in threat modeling, I’ve learned that this journey doesn’t have to be solitary. These tools and resources represent the collective wisdom of our community, and I’ve seen them help countless practitioners improve their security practices.

I encourage you to join our growing community by subscribing to the Threat Modeling Insider newsletter at toreon.com/tmi-threat-modeling. Every edition is carefully curated to bring you practical insights, emerging trends, and lessons learned from the field.

Let’s continue making threat modeling more accessible and effective together.

About the Author

Seba Deleersnyder is the editor of the Threat Modeling Insider newsletter and a passionate advocate for practical security solutions. With years of experience in the field, he continues to curate insights and build communities that make threat modeling more accessible to everyone.