WebApp Sec mailing list archives

Re: Threat Modeling

From: Ivan Ristic <ivanr () webkreator com>
Date: Fri, 21 May 2004 11:14:19 +0100

aporia () tiscali co uk wrote:

I've been looking for a free set of threat models, too - no luck, though
- would be interested to know if you are successful.

I've decided to create a lightweight methodology for my book
("Apache Security") after failing to find something that meets
my requirements. Trying to describe what I want in few words,
I would call it "Lightweight threat modeling for web application
deployment").

Actually, I don't think I want a methodology but a complete
example/case study that can be reused quickly.

The three key points are:

1. Lightweight - easy to understand, can be used by a casual
user not normally involved with web security or information
security in general. Essentially it needs to be very practical,
a detailed step-by-step guide.

2. Web applications

3. Deployment - that's the focus of my book, securing the
web infrastructure, it does not cover web app. development
(it covers web security on the level needed to secure
the infrastructure). So I sit somewhere in between
network infrastructure and application development.

Some of the resources on threat modeling I'm aware of (public
first):

* Part I of the book "Improving Web Application Security, Threats
and Countermeasures" from Microsoft:

http://www.microsoft.com/downloads/details.aspx?FamilyId=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9

* Attack Modeling for Information Security and Survivability
http://www.cert.org/archive/pdf/01tn001.pdf

* OCTAVE, http://www.cert.org/octave/

* Collaborative Attack Modeling
http://www.ito.tu-darmstadt.de/publs/pdf/sac2002.pdf

* Attack Trees, Bruce Schneier
http://www.counterpane.com/attacktrees.pdf

* Systematic Network Vulnerability Analysis based on Attack Graphs
http://www.celtic-initiative.org/~pub/InformationDay230304/01-Rieke.pdf

* The book "Managing Information Security Risks: The OCTAVE Approach"
http://www.amazon.com/exec/obidos/tg/detail/-/0321118863/

* Chapter 4 in "Writing Secure Code"
http://www.microsoft.com/mspress/books/5957.asp

* There's a book due to be published soon, "Threat Modeling", also
from Microsoft: http://www.microsoft.com/MSPress/books/6892.asp

--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Current thread:

Threat Modeling Mark Curphey (May 18)
- Re: [BAD-DATE] Threat Modeling D. Höhn (May 19)
- Re: Threat Modeling Ivan Ristic (May 20)
- RE: Threat Modeling Mikael Brejcha (May 24)
- <Possible follow-ups>
- RE: Threat Modeling Michael Howard (May 20)
- RE: Threat Modeling aporia (May 20)
  - RE: Threat Modeling Mark Curphey (May 20)
  - Re: Threat Modeling Ivan Ristic (May 21)
  - Re: Threat Modeling Frank O'Dwyer (May 21)
    - Re: Threat Modeling Adrian Wiesmann (May 21)
  - Re: Threat Modeling Adrian Wiesmann (May 21)
- RE: Threat Modeling Dan Morrill (May 20)
  - Re: Threat Modeling Matthew Franz (May 20)
- RE: Threat Modeling Dan Morrill (May 21)
- RE: Threat Modeling Michael Howard (May 21)
- RE: Threat Modeling Harbar, Spencer J. (May 25)
  - Re: Threat Modeling Chris Scott (May 26)