I have prepared a checklist that can be used to validate a threat document for completeness and accuracy.. Please provide feedback, if I am missing anything or anything needs to be refined. Also please share your threat model experience,challenges you faced, tools you used etc.

Threat model document checklist.


        Is it a system architecture diagrams?
        Is it a data flow diagram?
        Is it a system component interaction diagram?

External dependencies

        Is it a data or functionality dependency?
        Is it a push or a pull (Indicate the direction of the data?) 
        Is it a trusted dependency?

  Did the data you are receiving, in part or whole, from an external dependency originate 
  from a user? If so, was it validated or sanitized?

  Is the data you are receiving sensitive data? If so, is it transmitted over a secure channel?

  If you use a dependency for functionality, do you trust it? 
  If you send data to outside dependencies, how do you establish a trust with that entity
  before sending the data?
  Do you simply rely on an assumption that they are the ones sitting behind a given IP or
  do you authenticate them using a valid digital certificate?

 Implementation Assumption

        Is it an assumption becoming invalidated does the probability of a threat increase?
        Is it an assumption added as a result of a potential attack?
Is it an assumption added as a result of validation?

 External Security Notes

        Is it related information that entities that depend on your application need to be aware of?

 Internal security notes

        Priorities – how are various security initiatives prioritized within the  methdology that is being adopted.
        Challenges – what are some of the challenges encountered with the security initiatives
        for the application?
        Exceptions – are there areas of the application that are exempt from certain security 
        initiatives and why
        Constraints – are there any constraints to certain security initiatives with respect to certain
        areas of the application.

 Application Decomposition

 Trust Levels:

 What is the different trust levels used within an application in order to segment its feature sets and make it possible to model business 
 required access control on protected resources?

 Does the service role have identity nodes?
 Have you flattened the roles?
 Is the related information captured about the Role including its purpose (what set of entities does it group together, what resource does it grant access
 to etc.)

 Is the mechanism by which entities in the role are authenticated captured?
 Is the approximate number of entities indicated that will belong to that role (which helps to assess the impact and opportunity). 

 Entry Points:

 What channels do entities use within the application domain to get access to protected resources?

 What are the Services – The high level services that make up an application? Some examples are IIS, SQL Server,
 MSMQ Server, BizTalk, .Net Web Service, etc.

 What are the Objects – Services are composed of objects. Each type of a service will yield a different type of Object.For example, some

 Objects for IIS would be .asp pages,.aspx pages, etc. While some Objects for SQL Server would be databases.

 Methods – Similar to Objects, different types of Objects will yield different types of methods. For example, some Methods of an .asmx Object

 (which is an Object under a .Net WebService) would be public web methods. While some Methods for a database Object would be stored

 procedures, custom defined functions, views, data tables, etc.

 Inputs – Similar to Objects and Methods, type of input depends on the type of object.

 Some Inputs for an .asp page would be HTML input boxes, HTML check boxes, etc. While some Inputs for a SQL stored procedure would be 
 input parameters.

 Question to ask for each of the above components

  If this entry point is compromised, would this cause a significant business impact? 
  (Ability to cause a feature to behave in a manner for which it was not intended)

  Does the entry point collect data (whether from a user or another service) for persistent or non-persistent storage, 
  it needs to be captured?
  Does the entry point authorize entities for resources, it needs to be captured?
  What are the roles that have access to that Entry Point, regardless of access type?

  Protected Resources:

  What resources is the application responsible for protecting from unauthorized entities.           

  Data elements

        Is the data elements business critical?
  If this data is compromised, would this cause a significant business impact?

        Are logically grouped data elements rolled-up?
        Have the roles that identify the trust Level authorized for them

  Protected intangibles

        Have all the protected intangibles (e.g., uptime, reputation) been listed? 

        Use scenarios

        Does the use case reflect subject-event-object relationships?
        Does the use case reflect object-object relationships?
        Does the use case reflect subject-subject relationships? 

  Independent threat event entities

        Attack pattern

  Is it a blueprint for an attack?
  Is it a form of an attack?
  Have all the known attack patterns been listed?


  Have all the known vulnerabilities been listed?


  Have all the known mitigations for vulnerability been listed?

 Threat Event:

  A Threat Event is an event that if materialized, will have a negative impact on business.|
  For each protected resource x, have the following three scenarios been considered.
  How would you rate the damage associated with a threat event that compromises the confidentiality of x.
  How would you rate the damage associated with a threat event that compromises the integrity of x.
  How would you rate the damage associated with a threat event that compromises the availability of x.
  Has the host, network, application (HNA) vs. Confidentiality, integrity, availability matrix (CIA) defined.

        For each column, have the following questions been answered
   Can x be compromised through the host (on top of which the application logic resides, for           
        example file system, SQL Server, IIS, MSMQ, etc.)?

  Can x be compromised through the network (including routers, switches, firewalls, etc.)?
  Can x be compromised through the application logic (going through the application logic entry points, for example, user interface, COM plug-
  in, API calls, etc?)
  Have all the threat events for CIA been covered in the order of priority
  Does the threat event answer the following questions?

  What protected resource we are trying to come up attack scenarios for?
  What is the category we are concerned with (confidentiality – which implied unauthorized read access, integrity – which implies unauthorized  
  right access or availability)?
  What is the target we are concerned with (host, network, application)?

  Attack Scenario:

  An Attack Scenario is a scenario that details a specific attack which can be used to realize a threat
  Is the specific scenario that when realized leads to the realization of a threat event.
  Is the attack scenario applicable to that specific threat?

  What is the pattern applicable for this attack scenario?

        How this attack carried out
        Does the scenario have an attack tree, has this been completed?
        Has this attack scenario been mitigated?
        Has the STRIDE classification been used to classify this attack scenario?|
        What entry points are needed to be used in order to carry out this attack?
        What protected resources are being compromised with this attack?
        What are the applicable vulnerabilities that this attack scenario is realized?


        Has the DREAD been measured?
        If mitigated, is the after DREAD value less the before DREAD value.