Meeting minutes

[Anurag Agarwal]

Hi All – just wanted to update everyone on our Saturday meeting. Below are the meeting notes.

 

1. Put together Information gathering questionnaire – This will be a good starting point for people wanting to build threat models. This questionnaire will allow people to gather information such as

                - Application Details including it’s risk classification

                - Infrastructure components where the application is deployed. For e.g. Web server, DB server, etc

                - Protocols like HTTP, HTTPS, SOAP, etc

                - Technology platform. For e.g. .NET, J2EE, WS, Rest API, etc

                - External systems the application interacts with outside of the trust boundary like Credit agency, merchant, etc.

                - Third party applications like Structs, Spring, hibernate, etc

 

2. Threat Library and its attributes. Template for companies to build a threat library with the following attributes.

                - Threat Libraries like WASC TC, MITRE CAPEC, CWE, etc

                - Threat Agents (detailed attacker profile including skillset, motivation, etc)

                - Business Impact

                - Technical Impact

               

 

 Next Steps: Next meeting on Saturday, we will finalize the questionnaire and the template for threat attributes.

 

 

Thanks,

 

Anurag Agarwal

MyAppSecurity

Cell - 919-244-0803

Email - anu...@myappsecurity.com

Website - http://www.myappsecurity.com

Blog - http://myappsecurity.blogspot.com

LinkedIn - http://www.linkedin.com/in/myappsecurity

Twitter: https://twitter.com/#!/myappsecurity