WebApp Sec mailing list archives
Re: one use for taxonomies
From: Andrew van der Stock <vanderaj () greebo net>
Date: Fri, 15 Jul 2005 11:34:17 +1000
Brenda,I use TM to decompose business risks as a guide to look for technical issues. If there's a technical threat model, it's usually hard to see the bigger picture of what actually matters.
The reason I do this is to prioritize the search for business- interesting issues, rather than discovering a raft of lesser risks which have no business risk. For example, the world is not going to end if I order a book from Amazon without "128 bit SSL" protecting me. Sure it may be slightly riskier, but one transaction is not going to cause Amazon to disappear. However, if you can discover a way to view all reports on a system, this is terribly embarrassing for the organization and may violate privacy laws (and banking regulations if you're a bank).
This implies we need several kingdoms, and some kingdoms are more important than others.
Technical Kingdom - Authentication - Event handling - Injection - Cryptography - etc Business Kingdom - Reputation - Intellectual Property Loss - Monetary Loss - etc User Kingdom - Privacy violation - Identity Theft - Monetary Loss - Trust - etc Straw-man: Technical Kingdom view 1.0 An attacker may be able to see the contents of a transaction1.1 An attacker has control of a network device involved in the transaction flow
1.1.1 The attacker can see all data 1.2 An attacker has a MITM proxy installed on the client PC 1.2.1 The attacker can see plain text transactions Business Kingdom view 1.0 An attacker may be able to change the value of a transaction ... User Kingdom view1.0 An attacker may be able to steal my credit card when I use this service
...I personally don't think this is tractable problem for automation except as a subset of a particular kingdom. What we need are better threat modeling tools to assist in the creation of threat models. The MS tool is far too cumbersome to use for first time modelers. I use tables in Word and graphs in Visio if I have to do presentations.
thanks, Andrew On 15/07/2005, at 8:07 AM, Brenda wrote:
I'm one of the "folks in Seattle" Arian mentioned in a previous post. I have read what seemed relevant in the list archives, but I just got here; I apologize if I am restating points others said previously. Some colleagues & I have been working on a more consistent, reproducible, computable &c threat modeling methodology. If you've
Current thread:
- one use for taxonomies Brenda (Jul 14)
- Re: one use for taxonomies Andrew van der Stock (Jul 14)
- Re: one use for taxonomies Brenda (Jul 15)
- Re: one use for taxonomies Frank O'Dwyer (Jul 15)
- RE: one use for taxonomies Mark Curphey (Jul 15)
- Re: one use for taxonomies Frank O'Dwyer (Jul 16)
- RE: one use for taxonomies Mark Curphey (Jul 16)
- RE: one use for taxonomies Mark Curphey (Jul 16)
- Re: one use for taxonomies Brenda (Jul 15)
- Re: one use for taxonomies Zhiguly (Jul 16)
- Re: one use for taxonomies Frank O'Dwyer (Jul 16)
- Re: one use for taxonomies Andrew van der Stock (Jul 14)
- Re: one use for taxonomies Paul B. Saitta (Jul 18)
- Re: @CHECK++ Re: one use for taxonomies Dennis W. Kennedy (Jul 18)