This is a summary of what Adam Showstack said on an episode of the BrakeSec security podcast that I've only just made time to listen to. As the BrakeSec ( Brakeing Down Security Podcast ) page says "Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly."

This isn't a transcript, just me making some typed notes, corrections or comments welcome.

The link to the appropriate page is here: http://brakeingsecurity.com/2017-036-adam-shostack-talks-about-threat-modeling-and-how-to-do-it-properly

The link to the podcast is here: http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3

Different threat modelling methods are:

STRIDE: It's a bad taxonomy, it's useful as a menumonic. It stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privilege. It helps you think of how each endpoint or data flow or connection could be attacked.

Trike: Asset-centric, has a spreadsheet, it's its own methodology.

PASTA: Has seven steps, it's promoted as a "risk centric system", Adam describes it as useful for a consultant because it describes interview steps at the start and comes to risk at the end.

DREAD: Don't use it. "is a lovely acronym and a bad risk-management approach". You assign a 1-10 rating and average them out, with no guidance on how ratings are given.

Overall, the aim of this is to find threats, not to rate them.