WebApp Sec mailing list archives
Re: Threat Modeling
From: Adrian Wiesmann <awiesmann () swordlord org>
Date: Sat, 22 May 2004 00:25:13 +0200
We've developed our own Risk Assessment Methodology (LCZ-RAM). Although we've built commercial tools around it, the process itself and the security content for it are open. We also intend to give away a free version of the supporting software - look for an announcement from us on this in the coming weeks.
You may be interested in SOMAP (Security Officers Management and Analysis Project - http://www.somap.org) then. This is a just recently started open source project with the goal to develop a methodology and tools/documents to analyse and manage threats.
We do not model threats and likelihoods explicitly, because for one thing this information is usually not known, or not reliable, and secondly because in practice this kind of exercise makes (or should make) no real difference to the countermeasures that you wind up choosing in the end, and last but not least because that's a really bad and dangerous way to design security.
One of the central points around SOMAP and the SOMAP Methodology is that complex formulas are used, but the complexity is tried to be kept away from the security officer. Because of this some meta-data is used to speed up the users analysis time. In short: A security officer maps the inventory to a global list of assets, defines which protection objects are how important (or need how much protection) and this is it - more or less. The rest can be calculated from the meta data and pre-defined formulas. To come back to Mark's initial question: SOMAP is not about web applications or applications in general. It is about assets in general. But this definitely does not means that it would not be possible to include this speciality in the SOMAP Methodology as well.
Similarly we don't attempt to make a list of assets and value them, because this really makes no observable difference to the outcome in terms of countermeasures, compared to much simpler approaches. All of a business's assets have some importance or the business wouldn't have them.
I do not completely agree. A business has some asset which are sometimes not known that they are around (or they are "forgotten"). Of course there are some "main" or core business assets, but of course there are many more. It is useful for a security officer to not only be able to communicate to the higher management how the main assets are protected. But he also want's to see the risks being introduced with other assets. Like that it is risky to only show some generalisation of a current situation. Regards, Adrian
Current thread:
- Threat Modeling Mark Curphey (May 18)
- Re: [BAD-DATE] Threat Modeling D. Höhn (May 19)
- Re: Threat Modeling Ivan Ristic (May 20)
- RE: Threat Modeling Mikael Brejcha (May 24)
- <Possible follow-ups>
- RE: Threat Modeling Michael Howard (May 20)
- RE: Threat Modeling aporia (May 20)
- RE: Threat Modeling Mark Curphey (May 20)
- Re: Threat Modeling Ivan Ristic (May 21)
- Re: Threat Modeling Frank O'Dwyer (May 21)
- Re: Threat Modeling Adrian Wiesmann (May 21)
- Re: Threat Modeling Adrian Wiesmann (May 21)
- RE: Threat Modeling Dan Morrill (May 20)
- Re: Threat Modeling Matthew Franz (May 20)
- RE: Threat Modeling Dan Morrill (May 21)
- RE: Threat Modeling Michael Howard (May 21)
- RE: Threat Modeling Harbar, Spencer J. (May 25)
- Re: Threat Modeling Chris Scott (May 26)