This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Projects/OWASP Threat Modelling Project"
(Created page with "Threat Modeling Working Session Summary from OWASP Portugal Summit Discussion Points: 1. Threat Modeling – Existing Challenges 2. Taxonomy 3. Threat Modeling Approaches (Asset...") |
|||
| Line 3: | Line 3: | ||
Discussion Points: | Discussion Points: | ||
1. Threat Modeling – Existing Challenges | 1. Threat Modeling – Existing Challenges | ||
| + | |||
2. Taxonomy | 2. Taxonomy | ||
| + | |||
3. Threat Modeling Approaches (Asset Centric, System Centric, Attacker centric) | 3. Threat Modeling Approaches (Asset Centric, System Centric, Attacker centric) | ||
| + | |||
4. Methodology | 4. Methodology | ||
| − | a. Existing Methodologies | + | |
| + | a. Existing Methodologies | ||
i. Microsoft | i. Microsoft | ||
ii. Trike | ii. Trike | ||
iii. PASTA | iii. PASTA | ||
| − | b. Classifying threats into Risk | + | |
| − | c. Technical Impact vs Business Impact | + | b. Classifying threats into Risk |
| + | |||
| + | c. Technical Impact vs Business Impact | ||
| + | |||
5. Input to Threat Modeling | 5. Input to Threat Modeling | ||
| + | |||
6. Components of a Threat Model (Asset, Threat Agent, Actors, Threats, etc) | 6. Components of a Threat Model (Asset, Threat Agent, Actors, Threats, etc) | ||
| + | |||
7. Output of Threat Modeling | 7. Output of Threat Modeling | ||
| + | |||
8. Consumers of Threat Model | 8. Consumers of Threat Model | ||
| + | |||
9. Attack Trees – Advantages and Disadvantages | 9. Attack Trees – Advantages and Disadvantages | ||
| + | |||
10. Application Decomposition and DFDs | 10. Application Decomposition and DFDs | ||
| + | |||
11. Threat Modeling Tools (TAM, PTA, ThreatModeler) | 11. Threat Modeling Tools (TAM, PTA, ThreatModeler) | ||
| + | |||
12. Threat Modeling and Abuse Case Modeling | 12. Threat Modeling and Abuse Case Modeling | ||
| + | |||
13. Threat Library (more focused threats as opposed to Top 10, WASC TC) | 13. Threat Library (more focused threats as opposed to Top 10, WASC TC) | ||
| + | |||
14. Do we need an OWASP Threat Modeling project? | 14. Do we need an OWASP Threat Modeling project? | ||
| + | |||
Accomplishments: | Accomplishments: | ||
| + | |||
1. An insight into how people have been doing threat modeling individually. There is no set standard used by people but everyone has their own. | 1. An insight into how people have been doing threat modeling individually. There is no set standard used by people but everyone has their own. | ||
| + | |||
2. Discussion on having an OWASP threat modeling project and let OWASP drive build and drive a standard which can be adopted by the industry. | 2. Discussion on having an OWASP threat modeling project and let OWASP drive build and drive a standard which can be adopted by the industry. | ||
| + | |||
3. Discussion on various components of threat modeling and how they fit into the process. | 3. Discussion on various components of threat modeling and how they fit into the process. | ||
Output: | Output: | ||
| + | |||
1. A unanimous vote to having an OWASP threat modeling project. | 1. A unanimous vote to having an OWASP threat modeling project. | ||
| + | |||
2. Promotion of such a project to not only security consultants but also having contributors from an end user organization to provide their feedback on challenges and such. | 2. Promotion of such a project to not only security consultants but also having contributors from an end user organization to provide their feedback on challenges and such. | ||
| + | |||
3. OWASP to promote the methodology to establish it as a standard in the industry. | 3. OWASP to promote the methodology to establish it as a standard in the industry. | ||
| Line 40: | Line 63: | ||
1. High level project roadmap with milestones. | 1. High level project roadmap with milestones. | ||
| + | |||
2. Call for participants | 2. Call for participants | ||
| + | |||
3. Review existing resources within OWASP to align with threat modeling project. | 3. Review existing resources within OWASP to align with threat modeling project. | ||
| + | |||
4. Come up with a threat modeling methodology | 4. Come up with a threat modeling methodology | ||
| + | |||
5. Publish the first draft | 5. Publish the first draft | ||
Revision as of 16:41, 4 April 2011
Threat Modeling Working Session Summary from OWASP Portugal Summit
Discussion Points: 1. Threat Modeling – Existing Challenges
2. Taxonomy
3. Threat Modeling Approaches (Asset Centric, System Centric, Attacker centric)
4. Methodology
a. Existing Methodologies
i. Microsoft
ii. Trike
iii. PASTA
b. Classifying threats into Risk
c. Technical Impact vs Business Impact
5. Input to Threat Modeling
6. Components of a Threat Model (Asset, Threat Agent, Actors, Threats, etc)
7. Output of Threat Modeling
8. Consumers of Threat Model
9. Attack Trees – Advantages and Disadvantages
10. Application Decomposition and DFDs
11. Threat Modeling Tools (TAM, PTA, ThreatModeler)
12. Threat Modeling and Abuse Case Modeling
13. Threat Library (more focused threats as opposed to Top 10, WASC TC)
14. Do we need an OWASP Threat Modeling project?
Accomplishments:
1. An insight into how people have been doing threat modeling individually. There is no set standard used by people but everyone has their own.
2. Discussion on having an OWASP threat modeling project and let OWASP drive build and drive a standard which can be adopted by the industry.
3. Discussion on various components of threat modeling and how they fit into the process.
Output:
1. A unanimous vote to having an OWASP threat modeling project.
2. Promotion of such a project to not only security consultants but also having contributors from an end user organization to provide their feedback on challenges and such.
3. OWASP to promote the methodology to establish it as a standard in the industry.
Next Steps:
1. High level project roadmap with milestones.
2. Call for participants
3. Review existing resources within OWASP to align with threat modeling project.
4. Come up with a threat modeling methodology
5. Publish the first draft
