Secure Coding mailing list archives

differences between Threat Analysis and Threat Modeling

From: jgrembi at gmail.com (Jason Grembi)
Date: Wed, 14 Feb 2007 16:11:33 -0500

Hi Ken,

I am currently researching the differences between Threat Analysis and
Threat Modeling.

I thought your readers on the mailing list may give me a clearer
distinction.



How I understand it is that *both* identify security threats, determine
risk, and create the right countermeasures by analyzing various types of
documentation about the system and looking for vulnerabilities and/or areas
of weakness.



*Threat Analysis* ? is more *informal* way of 'eyeballing' system
architecture and application design.
*Threat Modeling* [Microsoft SDL] ? more *formal*, every requirement is
modeled and scrutinized.

Any additional help you or your readers can provide would be appreciated.


Thanks

Jason Grembi

Web Developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070214/c2a37207/attachment.html

Current thread:

differences between Threat Analysis and Threat Modeling Jason Grembi (Feb 14)
- differences between Threat Analysis and Threat Modeling scott hollatz (Feb 14)
- differences between Threat Analysis and Threat Modeling Benjamin Tomhave (Feb 14)
- differences between Threat Analysis and Threat Modeling Paco Hope (Feb 22)