Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Threat Modeling
From: Ivan Ristic <ivanr () webkreator com>
Date: Fri, 21 May 2004 11:14:19 +0100

aporia () tiscali co uk wrote:
I've been looking for a free set of threat models, too - no luck, though
- would be interested to know if you are successful.

  I've decided to create a lightweight methodology for my book
  ("Apache Security") after failing to find something that meets
  my requirements. Trying to describe what I want in few words,
  I would call it "Lightweight threat modeling for web application

  Actually, I don't think I want a methodology but a complete
  example/case study that can be reused quickly.

  The three key points are:

   1. Lightweight - easy to understand, can be used by a casual
      user not normally involved with web security or information
      security in general. Essentially it needs to be very practical,
      a detailed step-by-step guide.

   2. Web applications

   3. Deployment - that's the focus of my book, securing the
      web infrastructure, it does not cover web app. development
      (it covers web security on the level needed to secure
      the infrastructure). So I sit somewhere in between
      network infrastructure and application development.

  Some of the resources on threat modeling I'm aware of (public

  * Part I of the book "Improving Web Application Security, Threats
    and Countermeasures" from Microsoft:


  * Attack Modeling for Information Security and Survivability

  * OCTAVE, http://www.cert.org/octave/

  * Collaborative Attack Modeling

  * Attack Trees, Bruce Schneier

  * Systematic Network Vulnerability Analysis  based on Attack Graphs

  * The book "Managing Information Security Risks: The OCTAVE Approach"

  * Chapter 4 in "Writing Secure Code"

  * There's a book due to be published soon, "Threat Modeling", also
    from Microsoft: http://www.microsoft.com/MSPress/books/6892.asp

ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]