WebApp Sec mailing list archives
RE: Taxonomies and multi-factor vulnerabilities
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Thu, 14 Jul 2005 11:01:07 -0500
Frank O'Dwyer asked:Also what makes you think these things fit into a hierarchy at all,
I don't know what the right classification system is, or if there is one, but the problem interests me. The fuzzy classifications I use now sure help business and organizational owners I work with make some sense out of this technical muck, so they have a purpose. You are right about complexity and the need to view/order/sort for different people/needs in different ways.
From: Steven M. Christey [mailto:coley () mitre org]
[...]
I know that a lot of people on this list understand this, but this is one of the major challenges for building the "right" scheme to effectively capture these kinds of problems. I wish I knew the answer but I'm only just starting to ask better questions.
I was happily using STRIDE as a threat model, for example, until some folks that are smarter than I am pointed out that it's a mix of Threats and Attacks and not a true Threat model. After starting over clean I've come to realize this may be a Rob Rosen style problem. It's hard to separate data from purpose in modeling (particularly with software, where the two are the same), and micro/macro classification systems are usually fundamentally unequal in any science, but I'd rather have a rough or unequal system than no system at all. -ae The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- Taxonomies and multi-factor vulnerabilities Steven M. Christey (Jul 13)
- <Possible follow-ups>
- RE: Taxonomies and multi-factor vulnerabilities Evans, Arian (Jul 14)