Threat Modeling with EoP


Threat modeling is a technique used to find Security design flaws in Software. The Elevation of Privilege with Privacy card game was originally created by Adam Shostack at Microsoft and was later extended to include privacy by Mark Vinkovits at LogMeIn.

This template is for performing remote threat modeling exercises with engineering teams. I often perform threat modeling exercises with remote teams and facilitating the meeting is much simpler when you have a board prepared that contains the instructions, the cards and different sections for gameplay.

To prepare the board:

  • Add your architecture diagram to each section of the board;

  • Lock the diagrams in place;

  • Select the sticky notes and bring them to the front (so they don't go behind the diagram when being moved).

You will need to distribute the list of cards (each players hand) to them individually and grant them access to the board. You could use the online croupier where you can also get cards made up to play the game.


Brett Crawley image
Brett Crawley
Principal Application Security Engineer@Mimecast
Having many years of AppSec and Software Engineering under my belt, my mission is to share what I learned so others can help make the cyber world more secure.
Share your comment with the Miroverse community.

Similar templates