Sharing Draft Threat Modeling Glossary
16 views
Skip to first unread message
-jOHN
Apr 21, 2011, 10:52:32 AM4/21/11
to owasp-thre...@googlegroups.com
All,
As previously posted to the mailing list, here's a working glossary of threat modeling terms we can update and work from:
Threat Modeling Glossary
-jOHN
As previously posted to the mailing list, here's a working glossary of threat modeling terms we can update and work from:
Threat Modeling Glossary
-jOHN
Rakkhi Samarasekera
Apr 21, 2011, 12:27:07 PM4/21/11
to OWASP Threat Modeling
John that's a great start. Really like the diagram
> Threat Modeling Glossary<https://docs.google.com/a/owasp.org/leaf?id=0B0kzJSN-1ikNYTkxMGM1M2Yt...>
>
> -jOHN
>
> -jOHN
Christian Frichot
Apr 22, 2011, 12:06:34 AM4/22/11
to OWASP Threat Modeling
Agreed, great document John, and the graph is interesting. I'm just
curious as to how much previously construct OWASP language/taxonomy
are we going to use? Mainly because I noticed a lot of the sources
were ISACA (not that that's a problem because they're mostly similar).
Also, am I able to suggest another source for the definition of Risk.
I'm quite fond of the FAIR definition of risk terms, in particular
their definition of risk:
"Risk – The probable frequency and probable magnitude of future loss"
http://fairwiki.riskmanagementinsight.com/?page_id=6
I'm also aware that the 2010 Top 10 referenced FAIR as part of their
risk taxonomy, so I think it would be a good fit here as well.
Regards,
Christian Frichot
curious as to how much previously construct OWASP language/taxonomy
are we going to use? Mainly because I noticed a lot of the sources
were ISACA (not that that's a problem because they're mostly similar).
Also, am I able to suggest another source for the definition of Risk.
I'm quite fond of the FAIR definition of risk terms, in particular
their definition of risk:
"Risk – The probable frequency and probable magnitude of future loss"
http://fairwiki.riskmanagementinsight.com/?page_id=6
I'm also aware that the 2010 Top 10 referenced FAIR as part of their
risk taxonomy, so I think it would be a good fit here as well.
Regards,
Christian Frichot
-jOHN
Apr 22, 2011, 8:40:48 AM4/22/11
to owasp-thre...@googlegroups.com
All,
Quick clarification: some wonder about how/why I sourced what I did when defining terms. I used the following heuristics:
* Favor the earliest definition known
* Allow a more recent definition to update or color a previous definition, especially with respect to application security context
* Do not allow a more recent definition to change direction without having been journal (or similarly peer-review) accepted
* Favor software development and especially architecture sources over security sources
The definitions provided by the OWASP wiki, in particular, fail that third heuristic a fair amount, while often providing the second's benefit.
As for "why", perhaps it's my years in research and doing both magazine and journal review for IEEE. You're taught, for better or worse, that there must be a good reason to replace an existing definition. Comparing the published result with Cigital's internal docs, I updated the source material considerably. A lot of my internal material on threat modeling dates back to the 70's and early 80's. It appears as though, while it predates OWASP considerably, the ISACA stuff is 'more recent'.
By favoring existing documentation, especially that from an architecture context, serves to create the best chance for engaging those who we most want in a application security threat modeling discussion: architects, development teams, and development-centric organizations.
All that having been said, I meant the glossary to be a "worksheet" rather than "the 10 Commandments". So, I think we have something to start with, improve, and evolve.
-jOHN
Quick clarification: some wonder about how/why I sourced what I did when defining terms. I used the following heuristics:
* Favor the earliest definition known
* Allow a more recent definition to update or color a previous definition, especially with respect to application security context
* Do not allow a more recent definition to change direction without having been journal (or similarly peer-review) accepted
* Favor software development and especially architecture sources over security sources
The definitions provided by the OWASP wiki, in particular, fail that third heuristic a fair amount, while often providing the second's benefit.
As for "why", perhaps it's my years in research and doing both magazine and journal review for IEEE. You're taught, for better or worse, that there must be a good reason to replace an existing definition. Comparing the published result with Cigital's internal docs, I updated the source material considerably. A lot of my internal material on threat modeling dates back to the 70's and early 80's. It appears as though, while it predates OWASP considerably, the ISACA stuff is 'more recent'.
By favoring existing documentation, especially that from an architecture context, serves to create the best chance for engaging those who we most want in a application security threat modeling discussion: architects, development teams, and development-centric organizations.
All that having been said, I meant the glossary to be a "worksheet" rather than "the 10 Commandments". So, I think we have something to start with, improve, and evolve.
-jOHN
Reply all
Reply to author
Forward
0 new messages