Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Threat Modelling
From: "Frank O'Dwyer" <fod () littlecatZ com>
Date: Tue, 25 May 2004 07:06:27 +0100

Brewis, Mark wrote:

Mark Curphey wrote:
Sent: 23 May 2004 14:22
In general IMHO this conversation started discussing apples (threat modeling to build better technical solutions) and is now trying to compare oranges to apples (info sec management of systems).

Agreed; the discussion has moved from the modelling necessary for the secure coding of an app. or the pentesting of that app. into assessing the wider holistic security environment.

No it hasn't. Taking wider non-technical issues and business
requirements into account is part of the "modelling necessary" in order
to deliver "secure code", that's the point. This in turn is part of what
you need to do to deliver secure technical systems that participate in
some business process - which is the real objective.

You can certainly use different and multiple tools for different aspects
as part of some larger approach, but you can never completely separate
these concerns because they are connected and affect each other.
Otherwise you may wave away some security issue as being "infosec
management" or part of the "wider environment" when in fact it may mean
you need to write different code or test for different things.

That's great, if that is what I want to do. If a wanted to define a test strategy, or identify generic class vulnerabilities in an app. under development, that doesn't meet my needs.

Sure it does. Or at least you've failed to provide any reason why it
wouldn't. Nothing about taking wider issues into account AS WELL implies
that you wind up without a test strategy, or miss generic class
vulnerabilities. It may mean you wind up with a better test strategy.
Whereas doing "secure coding" in isolation from these considerations can
mean you wind up with a pointless test strategy, one that tests the
wrong system for the wrong things. Plus no strategy can test for flaws
in something that isn't there, or that fails to address a business
security requirement in the first place.

That's over and above the fact that any security model that gives a lot
of weight to the needs of pentesting is pretty much doomed to being
wrong from the outset, because most security attributes are quality
attributes for which testing is a really poor fit.

I wanted a screwdriver, and you've passed me a monkey wrench.

Well no I haven't - you wanted a screwdiver and I've given you a
screwdriver. I've also given you a rawlplug and a drill, and pointed out
that unless you use all three together in the right order and in the
right way, the shelf you've been trying to put up will keep falling down.



Frank O'Dwyer      <fod () littlecatZ com>
Little cat Z       http://www.littlecatZ.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]