Gamified Threat Modeling¶
This gamified method of doing threat modeling might not be for everyone, but it has its pros and is worth testing out.
EOP Game-play¶
Here are the pros:
+ Depending on your level of geek: Fun!
+ Predefined cards with suggested threats - no need to wreck your brain
+ Encourages collaboration
+ You end up with a JSON that can follow your code
+ Remote!
..and the cons:
- Leads to many false positives
- Time-consuming (~2+ h)
- Not everyone might find the game-aspect of it as intriguing
- Requires a lot more effort than for example doing Agile Threat Modeling
- Everyone needs a laptop
- Requires 3-6 players
Pre-reqs¶
- Its good to familiarize yourselves with the physical EoP-cardgame
- You need somewhere to host the EoP-game. A tried method is using a dedicated VM in Azure, and running a dockerized-instance of the game.
- Expect a few iteration to get everyone onboard with the game play
- Have a prize for the winner
Warning
Regardless of how you deploy, be weary of what you information you are exposing through the diagram (IP-addresses, "Equinor", stuff like that
How-to:¶
- Spin up an instance of Elevation of Privilege, reachable to all participants
- Download (or deploy) an instance of OWASP Threat Dragon
- Using OWASP Threat Dragon: Create a diagram of the system in scope
- Upload the diagram to your EoP-instance, configure a session, distribute the links to participants
Depending on the system in scope, you can choose a suitable card-deck (general vs. a web application)
Game-rules are described here
Afterwards, you can download the model with the added threats and keep it in your code repository.