Quiz Entry - updated: 2026.06.20
What are the best practices for naming elements in your threat model?
Name flows, boundaries, and processes by what they really are, so an outsider could understand the system from the diagram alone.
Make your flows meaningful:
- Bad: "HTTP", "Request"
- Good: "Blog Content", "Scrape Requests"
Name your trust boundaries:
- Machine boundary?
- Corporate boundary?
- Network boundary?
Processes & external interactors:
- Good:
<company>.com - Bad: "server"
Ultimate test: Outsiders should understand your system from the data flow diagram alone, without additional explanation.