Skip to Main content Skip to Navigation
New interface
Conference papers

Asset-Oriented Threat Modeling

Abstract : Threat modeling is recognized as one of the most important activities in software security. It helps to address security issues in software development. Several threat modeling processes are widely used in the industry such as the one of Microsoft SDL. In threat modeling, it is essential to first identify assets before enumerating threats, in order to diagnose the threat targets and spot the protection mechanisms. Asset identification and threat enumeration are collaborative activities involving many actors such as security experts and software architects. These activities are traditionally carried out in brainstorming sessions. Due to the lack of guidance, the lack of a sufficiently formalized process, the high dependence on actors' knowledge, and the variety of actors' background, these actors often have difficulties collaborating with each other. Brainstorming sessions are thus often conducted sub-optimally and require significant effort. To address this problem, we aim at structuring the asset identification phase by proposing a systematic asset identification process, which is based on a reference model. This process structures and identifies relevant assets, facilitating the threat enumeration during brainstorming. We illustrate the proposed process with a case study and show the usefulness of our process in supporting threat enumeration and improving existing threat modeling processes such as the Microsoft SDL one.
Complete list of metadata

Cited literature [37 references]  Display  Hide  Download
Contributor : Nicolas Belloir Connect in order to contact the contributor
Submitted on : Thursday, November 5, 2020 - 5:42:51 PM
Last modification on : Friday, August 5, 2022 - 2:54:52 PM
Long-term archiving on: : Saturday, February 6, 2021 - 8:02:47 PM


Files produced by the author(s)


  • HAL Id : hal-02990919, version 1


Nan Messe, Vanea Chiprianov, Nicolas Belloir, Jamal El-Hachem, Régis Fleurquin, et al.. Asset-Oriented Threat Modeling. TrustCom 2020 - 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Dec 2020, Guangzhou, China. pp.1-11. ⟨hal-02990919⟩



Record views


Files downloads