How to do a Quick & Dirty (pre Threat Model) Software Model
Create a high-level diagram outlining the context of the system in question. Then add threats and relationships.
Identify Entity Types – An Entity represents a collection of code. This could be a function or it could represent a logical application, or it could represent an off-the-shelf product, or an infrastructural component.
Identify Attributes – Each entity will have certain attributes which describe that entity. For example, a database entity would have an attribute that specified its use.
Apply Naming Conventions – Make sure to name each entity in such a way that the entity is self-describing.
Identify Relationships – Entities will have connections and communications with other entities in the system. Record the main flows and their direction. The main flows are designated as the REQUEST call as opposed to the RESPONSE data.
The previous steps can be used to create a high-level diagram outlining the context of the system in question. If using a diagramming tool, make sure to create layers to separate out the functional (diagram) from security (threat model).