Web Application Security
Threat Modeling May 18 2004 09:22PM
Mark Curphey (mark curphey com) (4 replies)
RE: Threat Modeling May 24 2004 12:01PM
Mikael Brejcha (mikael brejcha com)
Does anyone know what has happened to NIAP's free tool for creating Common
Criteria protection profiles and Security Targets? It used to be available
on this) URL ( http://niap.nist.gov/tools/cctool.html ) but has now
disappeared without a word.

This tool however (if you can find it), is a great sidekick when doing
threat modeling for a specific target. It basically is a GUI around an
extensible knowledgebase of assumptions, threats, attacks and countering
objectives.

Not only does it contain this great knowledgebase of general threats. It
also allows you to approach those threats in a top-down approach, where you
mark which general threat categories that applies to you target and then get
the subordinate general threats for those threat categories chosen. From
there you can get to specific attacks for those general threats. It also
matches those attacks to attack countering objectives thereby allowing you
to match threats and requirements.

Matching threats to requirements and vice versa is something that in my
opinion is crucial in a long lived project/product where requirements are
questioned down the path and new threats emerge along the way.

Combine cctool and an attack tree modeling tool where you get a good view
and starting point for finding new threats and then you have pretty much the
ultimate threat modeling tool in my opinion.

P.S. I have failed to get the support I need for doing threat modeling by
just using the OCTAVE model on its own. The categories described by OCTAVE
seem to be too general in order to give any real support.

/Mikael Brejcha

-----Original Message-----
From: Mark Curphey [mailto:mark (at) curphey (dot) com [email concealed]]
Sent: den 18 maj 2004 23:23
To: webappsec (at) securityfocus (dot) com [email concealed]
Subject: Threat Modeling

Does anyone have any experience with the OCTAVE threat modeling methodology
from CMU ?

What threat modeling methodology do you use and why ?

Any links to any free threat modeling tools out there ?

[ reply ]
Re: Threat Modeling May 20 2004 01:04PM
Ivan Ristic (ivanr webkreator com)
Re: Threat Modeling May 20 2004 01:04PM
Ivan Ristic (ivanr webkreator com)
Re: [BAD-DATE] Threat Modeling May 19 2004 05:48AM
"D. Höhn" (dmalloc users sourceforge net) (1 replies)
RE: [BAD-DATE] Threat Modeling Nov 25 2004 11:50PM
Arian J. Evans (arian anachronic com)


 

Privacy Statement
Copyright 2010, SecurityFocus