mailing list archives
Re: Threat Modeling
From: Ivan Ristic <ivanr () webkreator com>
Date: Fri, 21 May 2004 11:14:19 +0100
aporia () tiscali co uk wrote:
I've been looking for a free set of threat models, too - no luck, though
- would be interested to know if you are successful.
I've decided to create a lightweight methodology for my book
("Apache Security") after failing to find something that meets
my requirements. Trying to describe what I want in few words,
I would call it "Lightweight threat modeling for web application
Actually, I don't think I want a methodology but a complete
example/case study that can be reused quickly.
The three key points are:
1. Lightweight - easy to understand, can be used by a casual
user not normally involved with web security or information
security in general. Essentially it needs to be very practical,
a detailed step-by-step guide.
2. Web applications
3. Deployment - that's the focus of my book, securing the
web infrastructure, it does not cover web app. development
(it covers web security on the level needed to secure
the infrastructure). So I sit somewhere in between
network infrastructure and application development.
Some of the resources on threat modeling I'm aware of (public
* Part I of the book "Improving Web Application Security, Threats
and Countermeasures" from Microsoft:
* Attack Modeling for Information Security and Survivability
* OCTAVE, http://www.cert.org/octave/
* Collaborative Attack Modeling
* Attack Trees, Bruce Schneier
* Systematic Network Vulnerability Analysis based on Attack Graphs
* The book "Managing Information Security Risks: The OCTAVE Approach"
* Chapter 4 in "Writing Secure Code"
* There's a book due to be published soon, "Threat Modeling", also
from Microsoft: http://www.microsoft.com/MSPress/books/6892.asp
[ Open source IDS for Web applications ]