WebApp Sec mailing list archives

Re: [BAD-DATE] Threat Modeling

From: "D. Höhn" <dmalloc () users sourceforge net>
Date: Wed, 19 May 2004 07:48:17 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Mark Curphey wrote:
| Does anyone have any experience with the OCTAVE threat modeling
methodology
| from CMU ?
nope :)
|
| What threat modeling methodology do you use and why ?
|
Well, it might be old and not feature complete but I deem Attack Trees a
very valuable tool: http://www.schneier.com/paper-attacktrees-ddj-ft.html

The methodoligy behind attack trees is rather simple and that simplicity
makes the whole process rather trivial. The complexity of a threat can
be modelded into different layers, their dependencies can be better
analyses and a conclusion is easier reached imho.

| Any links to any free threat modeling tools out there ?
|
Again I cannot help. My tool usese GRaphViz and a bit of perl Magick
along with a SQlite database to do what I want for Attack Tree Threat
modeling.

- -d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAqvUhPMoaMn4kKR4RAw1qAKCS98zNfbT0sc9lYM9X8IVB6uz6JQCgj6Sf
vJDEM3RWO1qKxouxTrE8Mto=
=TBmh
-----END PGP SIGNATURE-----

Current thread:

Threat Modeling Mark Curphey (May 18)
- Re: [BAD-DATE] Threat Modeling D. Höhn (May 19)
- Re: Threat Modeling Ivan Ristic (May 20)
- RE: Threat Modeling Mikael Brejcha (May 24)
- <Possible follow-ups>
- RE: Threat Modeling Michael Howard (May 20)
- RE: Threat Modeling aporia (May 20)
  - RE: Threat Modeling Mark Curphey (May 20)
  - Re: Threat Modeling Ivan Ristic (May 21)
  - Re: Threat Modeling Frank O'Dwyer (May 21)
    - Re: Threat Modeling Adrian Wiesmann (May 21)
  - Re: Threat Modeling Adrian Wiesmann (May 21)
- RE: Threat Modeling Dan Morrill (May 20)

(Thread continues...)