JD let Kent and me know that PAG has published some new guidance around threat modeling. Threat modeling is more difficult than it might seem at first, but this guidance makes it a lot easier by helping you narrow down what it is you need to protect yourself against.
Threat Modeling Web Applications
This guidance presents the patterns & practices approach to creating threat models for Web applications. Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk.