Threat modelling resources
40 views
Skip to first unread message
Rakkhi Samarasekera
Apr 21, 2011, 12:31:09 PM4/21/11
to OWASP Threat Modeling
Microsoft tool: http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx
Christian Frichot
Apr 22, 2011, 12:00:06 AM4/22/11
to OWASP Threat Modeling
OWASP's Threat Risk Modeling: https://www.owasp.org/index.php/Threat_Risk_Modeling
SANS - Threat Modeling - A Process to ensure Application Security:
http://www.sans.org/reading_room/whitepapers/securecode/threat-modeling-process-ensure-application-security_1646
(seems to be closely related, and/or documenting MS' process)
Other Microsoft resources:
MS' SDL Resources - http://www.microsoft.com/security/sdl/resources/publications.aspx
MS' Patterns and Practices - Threat Modeling Web Applications -
http://msdn.microsoft.com/library/ms978516.aspx
MS' STRIDE Threat Model - http://msdn.microsoft.com/library/ms954176.aspx
MS' Threat Modeling Book - http://www.amazon.com/Threat-Modeling-Microsoft-Professional-Swiderski/dp/0735619913
On Apr 22, 12:31 am, Rakkhi Samarasekera <rakkh...@gmail.com> wrote:
> Microsoft tool:http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx
SANS - Threat Modeling - A Process to ensure Application Security:
http://www.sans.org/reading_room/whitepapers/securecode/threat-modeling-process-ensure-application-security_1646
(seems to be closely related, and/or documenting MS' process)
Other Microsoft resources:
MS' SDL Resources - http://www.microsoft.com/security/sdl/resources/publications.aspx
MS' Patterns and Practices - Threat Modeling Web Applications -
http://msdn.microsoft.com/library/ms978516.aspx
MS' STRIDE Threat Model - http://msdn.microsoft.com/library/ms954176.aspx
MS' Threat Modeling Book - http://www.amazon.com/Threat-Modeling-Microsoft-Professional-Swiderski/dp/0735619913
On Apr 22, 12:31 am, Rakkhi Samarasekera <rakkh...@gmail.com> wrote:
> Microsoft tool:http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx
Antonio Fontes
Apr 28, 2011, 9:54:35 AM4/28/11
to OWASP Threat Modeling
----METHODS/FORMALIZATIONS
Microsoft SDL Resources - http://www.microsoft.com/security/sdl/resources/publications.aspx
Microsoft Patterns and Practices - Threat Modeling Web Applications -
http://msdn.microsoft.com/library/ms978516.aspx
Microsoft STRIDE Threat Model - http://msdn.microsoft.com/library/ms954176.aspx
OWASP Threat risk modeling - http://www.owasp.org/index.php/Threat_Risk_Modeling
OWASP Application threat modeling - http://www.owasp.org/index.php/Application_Threat_Modeling
SANS Threat Modeling, A Process to ensure Application Security -
http://www.sans.org/reading_room/whitepapers/securecode/threat-modeling-process-ensure-application-security_1646
Guerilla threat modeling: http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx
----DISCUSSIONS/THREADS
Discussions on threat modeling (in French, DLFP)
http://linuxfr.org/news/threat-modeling-savez-vous-quelles-sont-les-menaces-qui-guette
----BOOKS
Microsoft's tool:http://www.microsoft.com/security/sdl/adopt/
threatmodeling.aspx
Microsoft SDL Resources - http://www.microsoft.com/security/sdl/resources/publications.aspx
Microsoft Patterns and Practices - Threat Modeling Web Applications -
http://msdn.microsoft.com/library/ms978516.aspx
Microsoft STRIDE Threat Model - http://msdn.microsoft.com/library/ms954176.aspx
OWASP Threat risk modeling - http://www.owasp.org/index.php/Threat_Risk_Modeling
OWASP Application threat modeling - http://www.owasp.org/index.php/Application_Threat_Modeling
SANS Threat Modeling, A Process to ensure Application Security -
http://www.sans.org/reading_room/whitepapers/securecode/threat-modeling-process-ensure-application-security_1646
Guerilla threat modeling: http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx
----DISCUSSIONS/THREADS
Discussions on threat modeling (in French, DLFP)
http://linuxfr.org/news/threat-modeling-savez-vous-quelles-sont-les-menaces-qui-guette
----BOOKS
MS' Threat Modeling Book - http://www.amazon.com/Threat-Modeling-Microsoft-Professional-Swiderski/dp/0735619913
----TOOLS
Microsoft's tool:http://www.microsoft.com/security/sdl/adopt/
threatmodeling.aspx
Tony UV
Apr 28, 2011, 10:42:17 AM4/28/11
to owasp-thre...@googlegroups.com
Just wanted to clarify that STRIDE is a threat classification model, not a
threat model in and of itself. DREAD (another MS by-product) is a similar
classification model to classify threats by risk priority. STRIDE is
generally used as part of the security centric approach and DREAD for an
asset or risk centric approach so we should exclude from the OWASP
methodology and gravitate more around the SDL-IT tools and materials
provided by Microsoft *IF* (please not the emphasis on that word) we want to
map or correlate ours with theirs. Not advocating that, just sayin'.
threat model in and of itself. DREAD (another MS by-product) is a similar
classification model to classify threats by risk priority. STRIDE is
generally used as part of the security centric approach and DREAD for an
asset or risk centric approach so we should exclude from the OWASP
methodology and gravitate more around the SDL-IT tools and materials
provided by Microsoft *IF* (please not the emphasis on that word) we want to
map or correlate ours with theirs. Not advocating that, just sayin'.
Best,
Tony UcedaVelez, CISM, CISA, GSEC
Atlanta Chapter President
Membership Committee Global Board Member
OWASP Atlanta
http://www.owasp.org/index.php/Atlanta_Georgia
Twitter: @versprite
Anurag Agarwal
May 2, 2011, 10:51:18 AM5/2/11
to owasp-thre...@googlegroups.com
Guys - I have updated the wiki page with the mission statement.
https://www.owasp.org/index.php/OWASP_Threat_Modelling_Project
I want to start with the steps to define methodology. I know we have
taxonomy as the first step but I would like to take it after we have the
methodology defined. That way, we won't be wasting time on words that we may
not be using initially.
If everyone agrees, we can start identifying different components of the
methodology.
Thanks,
Anurag Agarwal
MyAppSecurity Inc
Cell - 919-244-0803
Email - anu...@myappsecurity.com
Website - http://www.myappsecurity.com
Blog - http://myappsecurity.blogspot.com
LinkedIn - http://www.linkedin.com/in/myappsecurity
Rafael Dreher
May 2, 2011, 10:55:32 AM5/2/11
to owasp-thre...@googlegroups.com, <owasp-threat-modeling@googlegroups.com>
Agreed!
--
Rafael Dreher
Venkatesh Jagannathan
May 3, 2011, 12:16:10 AM5/3/11
to owasp-thre...@googlegroups.com
Im OK. Let get it moving!!!
Venki
On Mon, May 2, 2011 at 8:21 PM, Anurag Agarwal <anurag....@yahoo.com> wrote:
Guys - I have updated the wiki page with the mission statement.
https://www.owasp.org/index.php/OWASP_Threat_Modelling_Project
I want to start with the steps to define methodology. I know we have
taxonomy as the first step but I would like to take it after we have the
methodology defined. That way, we won't be wasting time on words that we may
not be using initially.
If everyone agrees, we can start identifying different components of the
methodology.
Thanks,
Anurag Agarwal
MyAppSecurity Inc
Cell - 919-244-0803
Email - anu...@myappsecurity.com
Website - http://www.myappsecurity.com
Blog - http://myappsecurity.blogspot.com
LinkedIn - http://www.linkedin.com/in/myappsecurity
[mailto:owasp-thre...@googlegroups.com] On Behalf Of Tony UV
Sent: Thursday, April 28, 2011 10:42 AM
To: owasp-thre...@googlegroups.com
Subject: RE: Threat modelling resources
Tony UcedaVelez
May 3, 2011, 8:53:57 AM5/3/11
to owasp-thre...@googlegroups.com, <owasp-threat-modeling@googlegroups.com>
Looks good. Let's roll on.
Sent from my mobile device. Please excuse any typos.
Reply all
Reply to author
Forward
0 new messages