Skip to content

Latest commit

 

History

History
18 lines (12 loc) · 2.03 KB

README.md

File metadata and controls

18 lines (12 loc) · 2.03 KB

The Elevation of Privilege Threat Modeling Card Deck

I created Elevation of Privilege while at Microsoft. I'm creating this repository to have a single location for bugfixes, encourage more derivative work, and all the other goodness that a git repository can bring. At https://www.microsoft.com/en-us/download/details.aspx?id=20303, Microsoft released these under a CC-BY-3.0 license; all these files are maintained under the same license.

Elevation of Privilege (EoP) is the easy way to get started threat modeling. It is designed to make threat modeling easy and accessible for developers and architects. Threat modeling is a core security practice during the design phase of the Microsoft Security Development Lifecycle (SDL). The EoP card game helps examine possible threats to software and computer system. This game is licensed under the Creative Commons Attribution 3.0 United States License. Native files of the game are made available to allow editing, localization, and printing of the game. To view the full content of this license, visit http://creativecommons.org/licenses/by/3.0/us/

There are a set of variants which I track on the Shostack.org website, https://shostack.org/games/elevation-of-privilege including French, German and Japanese translations, online versions, an Alexa skill, and places you can obtain professionally printed cards.

Notes and clarifications

The most complete source of information on the cards is Appendix D of Threat Modeling: Designing for Security. Even if you don't have a copy of the book, you can often see the appendix via Amazon or Google "look inside" features.

  • The Queen of Information Disclosure differs from the King because with the Queen, messages may be encrypted, even if the channel is not.

Privacy variants

There are two independently created privacy variants: