WebApp Sec mailing list archives

Re: Threat Modeling

From: Adrian Wiesmann <awiesmann () swordlord org>
Date: Sat, 22 May 2004 00:25:13 +0200

We've developed our own Risk Assessment Methodology (LCZ-RAM). Although 
we've built commercial tools around it, the process itself and the 
security content for it are open. We also intend to give away a free 
version of the supporting software - look for an announcement from us on
this in the coming weeks.


You may be interested in SOMAP (Security Officers Management and Analysis
Project - http://www.somap.org) then. This is a just recently started open
source project with the goal to develop a methodology and tools/documents
to analyse and manage threats.

We do not model threats and likelihoods explicitly, because for one 
thing this information is usually not known, or not reliable, and 
secondly because in practice this kind of exercise makes (or should 
make) no real difference to the countermeasures that you wind up 
choosing in the end, and last but not least because that's a really bad 
and dangerous way to design security.


One of the central points around SOMAP and the SOMAP Methodology is that
complex formulas are used, but the complexity is tried to be kept away
from the security officer. 

Because of this some meta-data is used to speed up the users analysis
time. In short: A security officer maps the inventory to a global list of
assets, defines which protection objects are how important (or need how
much protection) and this is it - more or less. The rest can be calculated
from the meta data and pre-defined formulas.

To come back to Mark's initial question: SOMAP is not about web
applications or applications in general. It is about assets in general.
But this definitely does not means that it would not be possible to
include this speciality in the SOMAP Methodology as well.

Similarly we don't attempt to make a list of assets and value them, 
because this really makes no observable difference to the outcome in 
terms of countermeasures, compared to much simpler approaches. All of a 
business's assets have some importance or the business wouldn't have 
them.


I do not completely agree. A business has some asset which are sometimes
not known that they are around (or they are "forgotten"). Of course there
are some "main" or core business assets, but of course there are many
more. It is useful for a security officer to not only be able to
communicate to the higher management how the main assets are protected.
But he also want's to see the risks being introduced with other assets.
Like that it is risky to only show some generalisation of a current
situation.

Regards,
Adrian

Current thread:

Threat Modeling Mark Curphey (May 18)
- Re: [BAD-DATE] Threat Modeling D. Höhn (May 19)
- Re: Threat Modeling Ivan Ristic (May 20)
- RE: Threat Modeling Mikael Brejcha (May 24)
- <Possible follow-ups>
- RE: Threat Modeling Michael Howard (May 20)
- RE: Threat Modeling aporia (May 20)
  - RE: Threat Modeling Mark Curphey (May 20)
  - Re: Threat Modeling Ivan Ristic (May 21)
  - Re: Threat Modeling Frank O'Dwyer (May 21)
    - Re: Threat Modeling Adrian Wiesmann (May 21)
  - Re: Threat Modeling Adrian Wiesmann (May 21)
- RE: Threat Modeling Dan Morrill (May 20)
  - Re: Threat Modeling Matthew Franz (May 20)
- RE: Threat Modeling Dan Morrill (May 21)
- RE: Threat Modeling Michael Howard (May 21)
- RE: Threat Modeling Harbar, Spencer J. (May 25)
  - Re: Threat Modeling Chris Scott (May 26)