WebApp Sec mailing list archives
RE: Threat Modeling
From: "Mikael Brejcha" <mikael () brejcha com>
Date: Mon, 24 May 2004 14:01:08 +0200
Does anyone know what has happened to NIAP's free tool for creating Common Criteria protection profiles and Security Targets? It used to be available on this) URL ( http://niap.nist.gov/tools/cctool.html ) but has now disappeared without a word. This tool however (if you can find it), is a great sidekick when doing threat modeling for a specific target. It basically is a GUI around an extensible knowledgebase of assumptions, threats, attacks and countering objectives. Not only does it contain this great knowledgebase of general threats. It also allows you to approach those threats in a top-down approach, where you mark which general threat categories that applies to you target and then get the subordinate general threats for those threat categories chosen. From there you can get to specific attacks for those general threats. It also matches those attacks to attack countering objectives thereby allowing you to match threats and requirements. Matching threats to requirements and vice versa is something that in my opinion is crucial in a long lived project/product where requirements are questioned down the path and new threats emerge along the way. Combine cctool and an attack tree modeling tool where you get a good view and starting point for finding new threats and then you have pretty much the ultimate threat modeling tool in my opinion. P.S. I have failed to get the support I need for doing threat modeling by just using the OCTAVE model on its own. The categories described by OCTAVE seem to be too general in order to give any real support. /Mikael Brejcha -----Original Message----- From: Mark Curphey [mailto:mark () curphey com] Sent: den 18 maj 2004 23:23 To: webappsec () securityfocus com Subject: Threat Modeling Does anyone have any experience with the OCTAVE threat modeling methodology from CMU ? What threat modeling methodology do you use and why ? Any links to any free threat modeling tools out there ?
Current thread:
- Threat Modeling Mark Curphey (May 18)
- Re: [BAD-DATE] Threat Modeling D. Höhn (May 19)
- Re: Threat Modeling Ivan Ristic (May 20)
- RE: Threat Modeling Mikael Brejcha (May 24)
- <Possible follow-ups>
- RE: Threat Modeling Michael Howard (May 20)
- RE: Threat Modeling aporia (May 20)
- RE: Threat Modeling Mark Curphey (May 20)
- Re: Threat Modeling Ivan Ristic (May 21)
- Re: Threat Modeling Frank O'Dwyer (May 21)
- Re: Threat Modeling Adrian Wiesmann (May 21)
- Re: Threat Modeling Adrian Wiesmann (May 21)
- RE: Threat Modeling Dan Morrill (May 20)
- Re: Threat Modeling Matthew Franz (May 20)
- RE: Threat Modeling Dan Morrill (May 21)
(Thread continues...)