What effect do you get when adding a custom Risk Measurement plug-in?
9 views
Skip to first unread message
ParanoidMike
May 1, 2008, 5:20:05 PM5/1/08
to Microsoft Threat Modeling Tools
I've puzzled over this one for a long time - what specific output/
results do you get when you change from the built-in Risk Measurement
functionality to adding a custom-written Risk Measurement plug-in?
The most detailed info I've ever seen on custom Risk Measurement plug-
ins was this, but I can't make heads or tails of it:
"In order to calculate risk consistently, the process defines risk (R)
as impact (I) times probability (P), i.e. R=I x P. Similarly, the tool
also expects the plug-in to return impact and probability values and
the risk is derived from it. In order to allow user based plug-ins,
the tool exposes necessary interfaces for a developer to implement.
The TMObjectModel.Interfaces namespace (TMObjectModel.dll) contains
ICalculateRisk interface which has the CalculateRisk method. Plug-in
needs to implement the above method and return RiskReturn object by
filling in the Impact and Probability properties. RiskReturn class is
also available in the same namespace. Tool uses this object to fill in
the threat risk values. Tool loads the plugin and uses reflection to
find out whether any publicly available classes export this interface
and loads the appropriate class and executes the CalculateRisk method
to get the RiskReturn object. By doing this we are reflecting, loading
and executing the plugin code in the same trust as that of the tool."
Does that mean that it'll apply a different mathematical formula (e.g.
different weightings) to the Impact & Probability values you choose,
and give you different result for the Risk Rating?
Does it mean that it'll add additional input values from the data that
is already gathered by the Tool (e.g. Data Classification)?
Does it mean that you can extend the XML schema to capture new data
values, and use them in a more complicated formula (along with
Probability and Impact) to come up with a new Risk Rating (or
something else)?
i.e. what does the "RiskReturn" object's value become in the final XML
that is Saved by the *.atmx file - is it exactly equal to the "Risk
Rating" value as displayed in the Risk Response section of each
documented Threat?
I gotta wonder how much value a custom Risk Measurement plug-in could
contribute if the only input values you can possibly use are the
Impact and Probability values that are currently valued 1-3 (and whose
resulting calculation comes out to 1-9)?
I'd be much more interested in developing a custom plug-in if I could
for example implement CVSS v2 or a customized derivative of that
vulnerability calculation framework.
Cheers, Mike
results do you get when you change from the built-in Risk Measurement
functionality to adding a custom-written Risk Measurement plug-in?
The most detailed info I've ever seen on custom Risk Measurement plug-
ins was this, but I can't make heads or tails of it:
"In order to calculate risk consistently, the process defines risk (R)
as impact (I) times probability (P), i.e. R=I x P. Similarly, the tool
also expects the plug-in to return impact and probability values and
the risk is derived from it. In order to allow user based plug-ins,
the tool exposes necessary interfaces for a developer to implement.
The TMObjectModel.Interfaces namespace (TMObjectModel.dll) contains
ICalculateRisk interface which has the CalculateRisk method. Plug-in
needs to implement the above method and return RiskReturn object by
filling in the Impact and Probability properties. RiskReturn class is
also available in the same namespace. Tool uses this object to fill in
the threat risk values. Tool loads the plugin and uses reflection to
find out whether any publicly available classes export this interface
and loads the appropriate class and executes the CalculateRisk method
to get the RiskReturn object. By doing this we are reflecting, loading
and executing the plugin code in the same trust as that of the tool."
Does that mean that it'll apply a different mathematical formula (e.g.
different weightings) to the Impact & Probability values you choose,
and give you different result for the Risk Rating?
Does it mean that it'll add additional input values from the data that
is already gathered by the Tool (e.g. Data Classification)?
Does it mean that you can extend the XML schema to capture new data
values, and use them in a more complicated formula (along with
Probability and Impact) to come up with a new Risk Rating (or
something else)?
i.e. what does the "RiskReturn" object's value become in the final XML
that is Saved by the *.atmx file - is it exactly equal to the "Risk
Rating" value as displayed in the Risk Response section of each
documented Threat?
I gotta wonder how much value a custom Risk Measurement plug-in could
contribute if the only input values you can possibly use are the
Impact and Probability values that are currently valued 1-3 (and whose
resulting calculation comes out to 1-9)?
I'd be much more interested in developing a custom plug-in if I could
for example implement CVSS v2 or a customized derivative of that
vulnerability calculation framework.
Cheers, Mike
Reply all
Reply to author
Forward
0 new messages