Next Steps

[Anurag Agarwal]

Guys- Tony did a great presentation today and I wish we had more
participation but I understand people are busy.

Moving forward, we will communicate over the email so people can respond
when they have time. Here are the next steps

Step 1 - Components of a threat model and aligning it to existing resources.
John has already created a glossary and I am sure people have looked at it.
I am going to send an email out on this shortly and I encourage you all to
chip in with your 2 cents.

Step 2 - Define the step by step process, actors, input/output points and
deliverables at the end of each process. Tony has sent a ppt to the group
which he presented today. Please refer to slide 8.This is going to be our
starting point. We will discuss it in more details going forward.

Step 3 - Metrics. It would be a great idea to show the value of threat
modeling process through the metrics. Tony covered this slightly on slide 4
of the ppt. We need to discuss it further and finalize on what kind of
metrics should be created and at what stage, etc.

Step 4 - How tos, templates, etc.

Please let me know if I missed anything.

Thanks,

Anurag Agarwal
MyAppSecurity Inc
Cell - 919-244-0803
Email - anu...@myappsecurity.com
Website - http://www.myappsecurity.com
Blog - http://myappsecurity.blogspot.com
LinkedIn - http://www.linkedin.com/in/myappsecurity

[Seba]

Any timings / people assigned to these next steps?

--Seba

[Anurag Agarwal]

Guys - I am assuming some of you guys are going to be at BlackHat but I
wanted to reignite this conversation. As mentioned in the email below there
are 4 steps. I want to start with Step 1-3 and see who would like to work on
these steps. We can do it individually or as a group and then present it to
the entire group here.

Step 1 - Identify components of a threat model
Step 2 - Define step by step process, actors, activities, output of each
step
Step 3 - Metrics

Any takers for any of these activities?

Tony's slides are attached.

Thanks,

Anurag Agarwal
MyAppSecurity Inc
Cell - 919-244-0803
Email - anu...@myappsecurity.com

Website - http://www.myappsecurity.com
Blog - http://myappsecurity.blogspot.com
LinkedIn - http://www.linkedin.com/in/myappsecurity

[Anurag Agarwal]

Hi Guys - I hope everybody is back from BH/DC/BSides and may have some time
to spare on these activities. Please let me know if one or more of you would
like to work on a specific activity. (See below for details)

[Venkatesh Jagannathan]

Hi Anurag et al,

    Any updates here?

 

Thanks & Regards,

~Venki

[Venkatesh Jagannathan]

Hi,

Any updates here folks?

[Anurag Agarwal]

Meeting minutes from our meeting on 11/10/12

 

1. We will identify all the threat modeling resources on owasp and google group and put them under owasp threat modeling wiki page.

2. Review and finalize the glossary for threat modeling

 

Next meeting is on 11/17 @noon EST on skype.

Agenda : High level bullet points for the owasp threat modeling methodology

 

Thanks,

 

Anurag Agarwal

MyAppSecurity

Cell - 919-244-0803

Email - anu...@myappsecurity.com

Website - http://www.myappsecurity.com

Blog - http://myappsecurity.blogspot.com

LinkedIn - http://www.linkedin.com/in/myappsecurity

Twitter: https://twitter.com/#!/myappsecurity

[Seba]

thx for the update.

Keep up the good work!

--seba

[Reef DSouza]

Hey,

I've compiled a list of resources on threat modeling based on information available on the OWASP site and other sources on the internet. You'll find it in the documents attached. We will carry out the discussion and make the changes to the wiki later in the week. Please share any other resources you might have and submit your comments / feedback.

Thanks,

Reef