Summary

As you have seen, threat models are an important part of security testing. Testers play a key role alongside developers and designers in the quality and usefulness of the data flow diagram and threat model to help ship secure software. A few key points to remember include the following:

• As a security tester, you need to test the product thoroughly. DFDs can help you identify and organize all of the places you (or attackers ) can control input to the application, where this input is used, and where it exits the application.

• Once these places have been identified, you need to think about each carefully and brainstorm a set of threats describing how an attacker might attempt to cause harm. Remember to track each of these threats so you actually create test cases for all of them. If you dont track them, you will likely forget something.

• If the DFD and threat model are being created by the company designing the software, they should be created by a team consisting of the software designer, developer, and tester. Each discipline has a unique view of the product, and details will likely be missed if each isnt involved in creating the threat model and DFD.

• The threats contained in the threat model should be actionable enough to generate specific test cases.

• Testers should not assume all details in the DFD and threat model are correct or complete. It is important for a tester to validate the details after using the product.

• The DFD and threat model should be updated to reflect what is actually implemented in the product.

In the next chapter, we look at specific tools, methodologies, and tips to help identify entry points for testing and threat modeling.