Use Elevation of Privilege game to threat model LE
15 views
Skip to first unread message
Fraser Scott
Mar 8, 2016, 8:57:05 AM3/8/16
to threatspec
Hi (Chris),
What do you think about using EoP to guide threat modelling LE? It might add a bit more structure to the process rather than trying to find CWEs etc.
I still think CWEs are valuable, no reason why we can't use a combination of both but using EoP to come up with an attack, then we can reference related CWEs for example.
I made an online version of the game a while back for this sort of use-case - distributed teams working asynchronously.
If you think it's a good idea, I'll create a wiki under the ThreatSpec org that we can use. Here an example I was doing by myself for pki.io:
Cheers,
Fraser
christop...@gmail.com
Mar 8, 2016, 11:36:44 AM3/8/16
to threatspec, Fraser Scott
Hey Fraser,
That’s a great idea. You’re the expert amongst us so I may have some questions for you in the process of learning the EoP game. I’ll take a look today.
Thanks for the pointer. :)
Cheers,
Chris
> --
> You received this message because you are subscribed to the Google Groups "threatspec"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to threatspec+...@googlegroups.com.
> To post to this group, send an email to threa...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/threatspec/975c336c-4255-4372-a374-3263662e418a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
That’s a great idea. You’re the expert amongst us so I may have some questions for you in the process of learning the EoP game. I’ll take a look today.
Thanks for the pointer. :)
Cheers,
Chris
> You received this message because you are subscribed to the Google Groups "threatspec"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to threatspec+...@googlegroups.com.
> To post to this group, send an email to threa...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/threatspec/975c336c-4255-4372-a374-3263662e418a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
Fraser Scott
Mar 8, 2016, 12:29:29 PM3/8/16
to threatspec
I'm a complete TM noob :)
Fraser Scott
Mar 14, 2016, 3:15:37 PM3/14/16
to threatspec
I've created a wiki page to track the game for EoP
and I have started with the first card, but only with some notes so far. Your turn Chris :)
Fraser Scott
Mar 15, 2016, 7:00:14 AM3/15/16
to threatspec
Hmm, so I made some notes on the wiki, but feeling kinda stuck. Without any sort of overview architecture diagram, it feels hard to think about how threats may apply to LE, especially as we didn't write it.
One of the original ideas of TS was that it would be an iterative process. So you'd start off in code, generate a report and diagram, use that to further guide TM (e.g. using EoP), which would then result in further code updates etc.
At the moment we don't have a way of generating diagrams so we'd have to rely on external documentation. I'm half tempted to add some basic @review functionality so we can at least document different boundaries and components.
Reply all
Reply to author
Forward
0 new messages