Actors and processes in threat models



  • I want to create a threat model to guide a security-oriented review on a project. I found the OWASP Threat Dragon and would like to do it in that, but from the documentation and example I am unsure how to use the elements provided.

    The diagrams can contain following elements:

    • Actors (represented with boxes)
    • Processes (represented with circles)
    • Storage (represented with over and underline)
    • Data flows (represented with arrows)
    • Trust boundaries (represented with dashed lines)

    The latter three seem obvious, but there is an example model and that shows Actor “Browser” and Process “Web App”. I would expect actor to mean user, but then on the other hand what would represent the browser? Or should it be represented at all?

    And each function should be a separate process, no? I suppose the component itself does not really need to be represented, though where would I then put cross-process concerns like authorization? Or should I mention them for each and every function?



  • Actors act on the assets/environments. They can be people, client applications, processes, etc. if they present a possible threat.

    Processes are your processes within your scope.

    As an example, OWASP has an example.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2