Traditional threat modeling has utilized data flow diagrams to model the software or system in question. How well does that methodology work for complex and interconnected systems? During 3 years of threat modeling work at Rackspace, the authors have found the limitations of data flow diagrams and other threat modeling methodologies when conducting threat models of OpenStack, Linux Containers, Docker and other recent cloud technologies. In this presentation, the author review the lessons learned and demonstrate how to interconnect the multiple systems which make up a typical OpenStack deployment into something useful for the developers, operations, security team and more.
