Manual without process
A security consultant (internal or external) performs a brainstorming together with the development tech lead to identify threats and ultimately security controls to mitigate relevant threats.
The brainstorm is usually based on the STRIDE framework and the outputs depend highly on the consultant knowledge and the ability of the tech lead to describe the application.
Resources
- Microsoft Threat Modeling Tool to draw diagrams and identify threats automatically
- Draw diagrams using https://excalidraw.com/ or https://app.diagrams.net/