Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

WebApp Sec: Re: Threat Modeling

Re: Threat Modeling

From: Ivan Ristic <ivanr_at_webkreator.com>
Date: Fri, 21 May 2004 11:14:19 +0100

aporia_at_tiscali.co.uk wrote:
> I've been looking for a free set of threat models, too - no luck, though
> - would be interested to know if you are successful.

   I've decided to create a lightweight methodology for my book
   ("Apache Security") after failing to find something that meets
   my requirements. Trying to describe what I want in few words,
   I would call it "Lightweight threat modeling for web application
   deployment").

   Actually, I don't think I want a methodology but a complete
   example/case study that can be reused quickly.

   The three key points are:

    1. Lightweight - easy to understand, can be used by a casual
       user not normally involved with web security or information
       security in general. Essentially it needs to be very practical,
       a detailed step-by-step guide.

    2. Web applications

    3. Deployment - that's the focus of my book, securing the
       web infrastructure, it does not cover web app. development
       (it covers web security on the level needed to secure
       the infrastructure). So I sit somewhere in between
       network infrastructure and application development.

   Some of the resources on threat modeling I'm aware of (public
   first):

   * Part I of the book "Improving Web Application Security, Threats
     and Countermeasures" from Microsoft:

http://www.microsoft.com/downloads/details.aspx?FamilyId=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9

   * Attack Modeling for Information Security and Survivability
     http://www.cert.org/archive/pdf/01tn001.pdf

   * OCTAVE, http://www.cert.org/octave/

   * Collaborative Attack Modeling
     http://www.ito.tu-darmstadt.de/publs/pdf/sac2002.pdf

   * Attack Trees, Bruce Schneier
     http://www.counterpane.com/attacktrees.pdf

   * Systematic Network Vulnerability Analysis based on Attack Graphs
http://www.celtic-initiative.org/~pub/InformationDay230304/01-Rieke.pdf

   * The book "Managing Information Security Risks: The OCTAVE Approach"
     http://www.amazon.com/exec/obidos/tg/detail/-/0321118863/

   * Chapter 4 in "Writing Secure Code"
     http://www.microsoft.com/mspress/books/5957.asp

   * There's a book due to be published soon, "Threat Modeling", also
     from Microsoft: http://www.microsoft.com/MSPress/books/6892.asp 

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]
Received on May 21 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]