Today's threat modeling call
4 views
Skip to first unread message
Tony UcedaVelez
Nov 17, 2012, 9:49:02 AM11/17/12
to owasp-thre...@googlegroups.com, Anurag Agarwal
Hey all,
I may not make it back in time to fire up Skype and be on the call, but did want to reiterate some things I did mention to Anurag last night night on threat modeling (TM).
So one of the too questions I get from clients on TM is 'is my org ready for threat modeling?'. Recognizing that there are several types of TM, and OWASP is focusing on a software centric approach, I plan to build a quick self assessment for dev groups and managers OR security leaders (basically, whoever is championing TM in their org) to fill out before diving in to deep within TM.
First, assuming that one of many goals to a software centric TM approach is to identify probable threats and develop adequate countermeasures, the threat profile of an app must be identified. That being said, the first genre of questions in this proposed self assessment is focused on the availability of incident response or threat intelligence data around an existing app being threat model or industry threat Intel in similar types of apps. In such a way, the TM facilitator can have a focused approach to those more realistic threat scenarios. The lack of this data in a software centric approach will really undermine the substance and reliability of threat exercises.
Second area is focused on the availability of source code, architectural diagrams, DFDs, etc in order to focus threat exercises, substantiated by threat Intel, in those area of the app. Companies may be working with COTS or inherited code which will again undermine the effectiveness of TM exercises.
Step zero should be of course governance to support this process b/c w/o this than there really is no point since mo one will care of the output produced by these exercises.
Tony UV
Sent from my Windows Phone
Sent from my Windows Phone
I may not make it back in time to fire up Skype and be on the call, but did want to reiterate some things I did mention to Anurag last night night on threat modeling (TM).
So one of the too questions I get from clients on TM is 'is my org ready for threat modeling?'. Recognizing that there are several types of TM, and OWASP is focusing on a software centric approach, I plan to build a quick self assessment for dev groups and managers OR security leaders (basically, whoever is championing TM in their org) to fill out before diving in to deep within TM.
First, assuming that one of many goals to a software centric TM approach is to identify probable threats and develop adequate countermeasures, the threat profile of an app must be identified. That being said, the first genre of questions in this proposed self assessment is focused on the availability of incident response or threat intelligence data around an existing app being threat model or industry threat Intel in similar types of apps. In such a way, the TM facilitator can have a focused approach to those more realistic threat scenarios. The lack of this data in a software centric approach will really undermine the substance and reliability of threat exercises.
Second area is focused on the availability of source code, architectural diagrams, DFDs, etc in order to focus threat exercises, substantiated by threat Intel, in those area of the app. Companies may be working with COTS or inherited code which will again undermine the effectiveness of TM exercises.
Step zero should be of course governance to support this process b/c w/o this than there really is no point since mo one will care of the output produced by these exercises.
Tony UV
Sent from my Windows Phone
Sent from my Windows Phone
Reply all
Reply to author
Forward
0 new messages