Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: Threat Modeling
From: Ivan Ristic <ivanr () webkreator com>
Date: Fri, 21 May 2004 11:14:19 +0100

aporia () tiscali co uk wrote:
I've been looking for a free set of threat models, too - no luck, though
- would be interested to know if you are successful.

  I've decided to create a lightweight methodology for my book
  ("Apache Security") after failing to find something that meets
  my requirements. Trying to describe what I want in few words,
  I would call it "Lightweight threat modeling for web application
  deployment").

  Actually, I don't think I want a methodology but a complete
  example/case study that can be reused quickly.

  The three key points are:

   1. Lightweight - easy to understand, can be used by a casual
      user not normally involved with web security or information
      security in general. Essentially it needs to be very practical,
      a detailed step-by-step guide.

   2. Web applications

   3. Deployment - that's the focus of my book, securing the
      web infrastructure, it does not cover web app. development
      (it covers web security on the level needed to secure
      the infrastructure). So I sit somewhere in between
      network infrastructure and application development.

  Some of the resources on threat modeling I'm aware of (public
  first):

  * Part I of the book "Improving Web Application Security, Threats
    and Countermeasures" from Microsoft:

http://www.microsoft.com/downloads/details.aspx?FamilyId=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9

  * Attack Modeling for Information Security and Survivability
    http://www.cert.org/archive/pdf/01tn001.pdf

  * OCTAVE, http://www.cert.org/octave/

  * Collaborative Attack Modeling
    http://www.ito.tu-darmstadt.de/publs/pdf/sac2002.pdf

  * Attack Trees, Bruce Schneier
    http://www.counterpane.com/attacktrees.pdf

  * Systematic Network Vulnerability Analysis  based on Attack Graphs
http://www.celtic-initiative.org/~pub/InformationDay230304/01-Rieke.pdf

  * The book "Managing Information Security Risks: The OCTAVE Approach"
    http://www.amazon.com/exec/obidos/tg/detail/-/0321118863/

  * Chapter 4 in "Writing Secure Code"
    http://www.microsoft.com/mspress/books/5957.asp

  * There's a book due to be published soon, "Threat Modeling", also
    from Microsoft: http://www.microsoft.com/MSPress/books/6892.asp

--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]















  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]