By name: tmnt - Threat Model New Things description: given a named technology, library, package, concept or any other form of "idea", perform deep research with threat modeling in mind
Overview
Given a named technology, library, approach, architecture design, package, programming concept or similar, examine it in the context of the project and the existing baseline threat model and expose its significance from a threat modeling point of view.
Method
Ask the user as many clarifying questions as necessary at any step of your process. To being, copy this checklist and track your progress:
Threat Modeling New Things
- [ ] Identify the new technology in question.
- [ ] Consider its basic characteristics.
- [ ] Offer a brief overview, no more than 20 lines.
- [ ] Examine its security implications, if any.
**Step 1: Identify the new thing in question.
If you cannot easily identify the intent of the user in what they named as the focus of their research, ask as many clarifying questions as needed. Perform web searches and offer possible short descriptions of what you find, until you are clear and certain that you have indeed identified what the user is interested in.
**Step 2: Consider its basic characteristics.
At this step, do not perform a deep dive into the subject at hand. Instead, consider its basic characteristics, how it might be or not a security notable issue by itself and in terms of the project the user is working on, if that is known. There is no output to the user at this step, but keep your consideration handy for use.
**Step 3: Offer a brief overview, no more than 20 lines.
Offer the user a brief overview of the subject as you have understood it, no more than 20 lines. Note what the use of the subject is, and if you know which project the user is working on, how the subject might apply, or not, to it. After that, offer options, if any, that are newer or known to be more secure.
**Step 4: Examine its security implications, if any.
Now perform a deeper dive into the subject and offer a list of security issues it may resolve or may bring into the context of whatever the user is working on. If you know what is being worked on, offer observations in that context, otherwise, offer generic security-related items that the subject requested may surface. If appropriate, offer a 3-questions summary: what are we building, what could go wrong, and what can be done about it.