Secure Coding mailing list archives
differences between Threat Analysis and Threat Modeling
From: list-procurare at secureconsulting.net (Benjamin Tomhave)
Date: Wed, 14 Feb 2007 21:30:59 -0500
Jason, I differentiate between the two like this: Threat Analysis looks at specific threats (e.g., msblaster, zotob, latest exploit of <pick your fav sw/os>). Threat Modeling looks at classes of threats (e.g., network-distributed malware, OS vulnerabilities of Type). Threat analysis is used as a component to various assessment techniques (vulnerability scanning, code review, etc.). The aggregation of data from multiple threat analyses within a define class of threat can then be used to develop a model of that threat. Threat modeling can then be used to look at the overall security and resilience of a system, instead of focusing on the minutae of every individual threat. Ergo, foci on anti-virus, OS hardening, patch management, etc. Practices developed in response to the modeling of classes of threats, the models for which were developed from analysis of the threats that resulted in their classification. Or something like that... cheers, -ben --- Benjamin Tomhave, CISSP, NSA-IAM, NSA-IEM falcon at secureconsulting.net Web: http://falcon.secureconsulting.net/ LI: http://www.linkedin.com/profile?viewProfile= <http://www.linkedin.com/profile?viewProfile=&key=1539292> &key=1539292 Blog: http://www.secureconsulting.net/ Photos: http://photos.secureconsulting.net/ "We must scrupulously guard the civil rights and civil liberties of all citizens, whatever their background. We must remember that any oppression, any injustice, any hatred is a wedge designed to attack our civilization." -President Franklin Delano Roosevelt _____ From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Jason Grembi Sent: Wednesday, February 14, 2007 4:12 PM To: sc-l at securecoding.org Subject: [SC-L] differences between Threat Analysis and Threat Modeling Hi Ken, I am currently researching the differences between Threat Analysis and Threat Modeling. I thought your readers on the mailing list may give me a clearer distinction. How I understand it is that both identify security threats, determine risk, and create the right countermeasures by analyzing various types of documentation about the system and looking for vulnerabilities and/or areas of weakness. Threat Analysis - is more informal way of 'eyeballing' system architecture and application design. Threat Modeling [Microsoft SDL] - more formal, every requirement is modeled and scrutinized. Any additional help you or your readers can provide would be appreciated. Thanks Jason Grembi Web Developer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070214/9ee0c48c/attachment.html
Current thread:
- differences between Threat Analysis and Threat Modeling Jason Grembi (Feb 14)
- differences between Threat Analysis and Threat Modeling scott hollatz (Feb 14)
- differences between Threat Analysis and Threat Modeling Benjamin Tomhave (Feb 14)
- differences between Threat Analysis and Threat Modeling Paco Hope (Feb 22)