[magicconch]

I’ve been trying to gain an understanding of threat modeling and one thing I’m struggling with is the definition of trust boundary - none of the descriptions I’ve read really clicked for me. Could you describe what it means?

[__jf__]

Trust boundaries make most sense when used in a data flow diagram, where for every flow between processes you ask yourself: “what could go wrong here?”

That question deserves additional attention if these flows reach processes controlled by different people, or are running under different privileges. That’s when they cross a trust boundary.

So a db server with local storage: single trust boundary around db and storage. But! But! What about the kernel!?

At this point it becomes important ask to another question: does the current abstraction level of the model help you think better about risk? It depends. Perhaps not if the db is part of a larger infrastructure with a global CDN, loadbalancers, webservers and some in memory caching layer.