Threat Modeling Glossary of Terms
41 views
Skip to first unread message
jOHN Steven
Apr 19, 2011, 11:08:26 AM4/19/11
to NoVAOWASP_ThreatModeling, smi...@cigital.com, mw...@cigital.com, anurag....@owasp.org
All,
I agreed to publish a glossary of terms used in "threat modeling"
discussions so that we could normalize conversations about what threat
modeling is and how to best go about it. Sammy Migues (a Cigital
Principal far exceeding my experience in risk management and IT
Security) and I published two things:
1) A Threat Modeling terms glossary
2) A Threat Modeling terms Graph
The first is straightforward: a document listing definitions of terms
commonly used in threat modeling discussions. In it, I've included
common ambiguities as well as clarifications. The document also
sources material used to produce definitions. As a preference, I've
chosen external non-vendor defined as source material.
The document includes (and refers to) the terms graph. Use the terms
graph to direct usage of individual terms relative to each other and
avoid overlap in meaning.
The document has been published here:
https://docs.google.com/document/pub?id=1PW4tnZXjeFioSr2B0014QMLm6hBC8E1AHeeEMlGyIL4
If you have a valid OWASP login (free) then you can access the Google
Document directly:
https://docs.google.com/a/owasp.org/document/d/1PW4tnZXjeFioSr2B0014QMLm6hBC8E1AHeeEMlGyIL4/edit?hl=en
If you'd like to edit the document, simply email me and I'll add you
as an editor.
Thanks,
-jOHN
I agreed to publish a glossary of terms used in "threat modeling"
discussions so that we could normalize conversations about what threat
modeling is and how to best go about it. Sammy Migues (a Cigital
Principal far exceeding my experience in risk management and IT
Security) and I published two things:
1) A Threat Modeling terms glossary
2) A Threat Modeling terms Graph
The first is straightforward: a document listing definitions of terms
commonly used in threat modeling discussions. In it, I've included
common ambiguities as well as clarifications. The document also
sources material used to produce definitions. As a preference, I've
chosen external non-vendor defined as source material.
The document includes (and refers to) the terms graph. Use the terms
graph to direct usage of individual terms relative to each other and
avoid overlap in meaning.
The document has been published here:
https://docs.google.com/document/pub?id=1PW4tnZXjeFioSr2B0014QMLm6hBC8E1AHeeEMlGyIL4
If you have a valid OWASP login (free) then you can access the Google
Document directly:
https://docs.google.com/a/owasp.org/document/d/1PW4tnZXjeFioSr2B0014QMLm6hBC8E1AHeeEMlGyIL4/edit?hl=en
If you'd like to edit the document, simply email me and I'll add you
as an editor.
Thanks,
-jOHN
jOHN Steven
Apr 19, 2011, 11:53:27 AM4/19/11
to NoVAOWASP_ThreatModeling
All,
I should state, for those interested or more experienced, that
defining the full compliment of risk management terms is currently
beyond the scope of the documents produced. The documents were
intended to disambiguate "threat modeling" terms only.
Because the term 'risk' gets thrown around loosely ("the 'risk' of
attack" or "the 'threat' poses a 'risk' to the system"), that term was
included. The risk term was related to probability and impact, as
literature prescribes. This brings up other terms (such as
"likelihood"), especially in an assessment crowd. There is some
discussion of this in a clarifications section of the glossary itself.
Specifically, the clarification regarding natural and intelligent
threats treats this topic explicitly.
Since most people use threat modeling as part of risk-based
assessments, an argument could be made for fleshing risk terms out as
well. I do, however, want to avoid--in wholesale fashion--the
religious warfare that risk management methodologies/philosophies
entail. So, my suggestion is we "punt" this for now: to the extent
that there's ambiguity about threat modeling, there exists much more
disagreement about risk management.
-jOHN
On Apr 19, 11:08 am, jOHN Steven <m1spl4c3ds...@gmail.com> wrote:
> All,
>
> I agreed to publish a glossary of terms used in "threat modeling"
> discussions so that we could normalize conversations about what threat
> modeling is and how to best go about it. Sammy Migues (a Cigital
> Principal far exceeding my experience in risk management and IT
> Security) and I published two things:
>
> 1) A Threat Modeling terms glossary
> 2) A Threat Modeling terms Graph
>
> The first is straightforward: a document listing definitions of terms
> commonly used in threat modeling discussions. In it, I've included
> common ambiguities as well as clarifications. The document also
> sources material used to produce definitions. As a preference, I've
> chosen external non-vendor defined as source material.
>
> The document includes (and refers to) the terms graph. Use the terms
> graph to direct usage of individual terms relative to each other and
> avoid overlap in meaning.
>
> The document has been published here:
>
> https://docs.google.com/document/pub?id=1PW4tnZXjeFioSr2B0014QMLm6hBC...
I should state, for those interested or more experienced, that
defining the full compliment of risk management terms is currently
beyond the scope of the documents produced. The documents were
intended to disambiguate "threat modeling" terms only.
Because the term 'risk' gets thrown around loosely ("the 'risk' of
attack" or "the 'threat' poses a 'risk' to the system"), that term was
included. The risk term was related to probability and impact, as
literature prescribes. This brings up other terms (such as
"likelihood"), especially in an assessment crowd. There is some
discussion of this in a clarifications section of the glossary itself.
Specifically, the clarification regarding natural and intelligent
threats treats this topic explicitly.
Since most people use threat modeling as part of risk-based
assessments, an argument could be made for fleshing risk terms out as
well. I do, however, want to avoid--in wholesale fashion--the
religious warfare that risk management methodologies/philosophies
entail. So, my suggestion is we "punt" this for now: to the extent
that there's ambiguity about threat modeling, there exists much more
disagreement about risk management.
-jOHN
On Apr 19, 11:08 am, jOHN Steven <m1spl4c3ds...@gmail.com> wrote:
> All,
>
> I agreed to publish a glossary of terms used in "threat modeling"
> discussions so that we could normalize conversations about what threat
> modeling is and how to best go about it. Sammy Migues (a Cigital
> Principal far exceeding my experience in risk management and IT
> Security) and I published two things:
>
> 1) A Threat Modeling terms glossary
> 2) A Threat Modeling terms Graph
>
> The first is straightforward: a document listing definitions of terms
> commonly used in threat modeling discussions. In it, I've included
> common ambiguities as well as clarifications. The document also
> sources material used to produce definitions. As a preference, I've
> chosen external non-vendor defined as source material.
>
> The document includes (and refers to) the terms graph. Use the terms
> graph to direct usage of individual terms relative to each other and
> avoid overlap in meaning.
>
> The document has been published here:
>
>
> If you have a valid OWASP login (free) then you can access the Google
> Document directly:
>
> https://docs.google.com/a/owasp.org/document/d/1PW4tnZXjeFioSr2B0014Q...
> If you have a valid OWASP login (free) then you can access the Google
> Document directly:
>
Reply all
Reply to author
Forward
0 new messages