mailing list archives
Re: Threat Modeling
From: Adrian Wiesmann <awiesmann () swordlord org>
Date: Sat, 22 May 2004 00:25:13 +0200
We've developed our own Risk Assessment Methodology (LCZ-RAM). Although
we've built commercial tools around it, the process itself and the
security content for it are open. We also intend to give away a free
version of the supporting software - look for an announcement from us on
this in the coming weeks.
You may be interested in SOMAP (Security Officers Management and Analysis
Project - http://www.somap.org) then. This is a just recently started open
source project with the goal to develop a methodology and tools/documents
to analyse and manage threats.
We do not model threats and likelihoods explicitly, because for one
thing this information is usually not known, or not reliable, and
secondly because in practice this kind of exercise makes (or should
make) no real difference to the countermeasures that you wind up
choosing in the end, and last but not least because that's a really bad
and dangerous way to design security.
One of the central points around SOMAP and the SOMAP Methodology is that
complex formulas are used, but the complexity is tried to be kept away
from the security officer.
Because of this some meta-data is used to speed up the users analysis
time. In short: A security officer maps the inventory to a global list of
assets, defines which protection objects are how important (or need how
much protection) and this is it - more or less. The rest can be calculated
from the meta data and pre-defined formulas.
To come back to Mark's initial question: SOMAP is not about web
applications or applications in general. It is about assets in general.
But this definitely does not means that it would not be possible to
include this speciality in the SOMAP Methodology as well.
Similarly we don't attempt to make a list of assets and value them,
because this really makes no observable difference to the outcome in
terms of countermeasures, compared to much simpler approaches. All of a
business's assets have some importance or the business wouldn't have
I do not completely agree. A business has some asset which are sometimes
not known that they are around (or they are "forgotten"). Of course there
are some "main" or core business assets, but of course there are many
more. It is useful for a security officer to not only be able to
communicate to the higher management how the main assets are protected.
But he also want's to see the risks being introduced with other assets.
Like that it is risky to only show some generalisation of a current