Threat Model Collections

Featured Threat Model 04

A threat model for AI-assisted software featuring extensive frameworks and threat libraries, including STRIDE, LINDDUN, Plot4.ai, OWASP, and others.

The threat model

This is the deliverable of the champion team of the 2024 Threat Modeling Hackathon. Read the prompt here.

Access the threat model: https://docs.google.com/spreadsheets/d/1qRUf3TFNFNwmUusl5gK5Lwq2ftlF6OL7indL-fqn59Q/edit?usp=sharing

The creators

Arron Johnson,  Jetzabel Serna, Prasanna Srinivasan, Jan Anderson, Ivan Smetskoy, Alicia Haumann. Mentored by Joshua Holmes.

Summary

Secure by Design and Default, SBD2, took a multi-perspective approach. We analyzed with different asset types in mind, data, personal, confidential.  We diagramed broad and then focused in on the product and prompt. Assumptions were clearly stated.  Several iterations were performed, separately and as a group, Finally, we presented threats with example scenarios, mitigations, priorities, and recommendations.  A lot of work over 21 days, finalized as a real-world use case with a management summary to help explain, discuss and prioritize further.  The threat model is useful and informative.

Behind the scene

How did you work together?

Arron kept us engaged, Alicia summarized while learning, everyone contributed, Joshua advised and was very good at giving us ideas (asking questions) without giving us solutions.

What was your proudest moment?
Wow, the win was a huge surprise.  We knew we were getting something valuable out of the experience.  Awesome to see the (sometimes chaotic) work come together in a precise and useful solution.

What was the biggest challenge you faced? How did you overcome it?
We had several passionate threat modelers with and without experience.  It was sometimes challenging to make progress while we debated approaches.  We quickly learned how to give and take and get to a comprehensive solution.

About Threat Model Collections

In this content series, we publish and curate a variety of threat model examples. These models can come in different forms—whether graphical, textual, or even in code. They showcase a wide range of technologies, methodologies, and techniques.

Have a threat model you'd like to share with the community? Contribute it here.

About Threat Model Collections
In this content series, we’ll publish and curate different threat model examples. The threat models can take many forms, such as graphical, textual representations or code. The models use diverse technologies, methodologies and techniques.