OWASP Threat Modelling Project

From OWASP
Revision as of 15:01, 23 January 2014 by Kait Disney-Leugers (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


OWASP Inactive Banner.jpg

Main

Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Threat Modelling Project (home page)
Purpose: N/A
License: N/A
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases


OWASP Threat Modeling Methodology

Mission

Establish a single and inclusive software-centric OWASP Threat modeling Methodology, addressing vulnerability in client and web application-level services over the Internet.


Motivation

Provide a repeatable and extensible threat modeling methodology for which applications or the web technologies on which they're built can be analyzed in order to drive activities within a secure development cycle.


Scope

The scope of this project, in terms of approach, will be "software-centric", rather than asset- or risk-centric. We do, however, recognize that without risk management, threat modeling provides little value. We will make efforts to establish methodology- neutral risk management tie-in through factors (like threat skill and capabilities) as well as through vulnerability factors (such as susceptibility or accessibility).


From a technical perspective, this group's efforts will be confined to the application layer of the OSI stack, focusing first on interaction between a browser-based client and the server-side web technologies that service it. The group will not confine itself based on languages, platforms, or tool kits at this time. Architecturally, this group will consider classic n-tier applications, federated applications, RESTful services, and simple client-server interaction.


Deliverables

Pursuant to its mission, this group will deliver:

  • A glossary of threat modeling terms
  • An OWASP Threat Modeling methodology document
  * Step-wise activities to be performed
  * Examples of each step's result
  • Threat Library (which may beget an Attack library)


[Background]

Portugal Summit Working Session Summary

Threat Modeling Working Session Summary from OWASP Portugal Summit

Discussion Points:

1. Threat Modeling – Existing Challenges

2. Taxonomy

3. Threat Modeling Approaches (Asset Centric, System Centric, Attacker centric)

4. Methodology

       a. Existing Methodologies
       i.	Microsoft
       ii.	Trike 
       iii.	PASTA
       b. Classifying threats into Risk
       c. Technical Impact vs Business Impact

5. Input to Threat Modeling

6. Components of a Threat Model (Asset, Threat Agent, Actors, Threats, etc)

7. Output of Threat Modeling

8. Consumers of Threat Model

9. Attack Trees – Advantages and Disadvantages

10. Application Decomposition and DFDs

11. Threat Modeling Tools (TAM, PTA, ThreatModeler)

12. Threat Modeling and Abuse Case Modeling

13. Threat Library (more focused threats as opposed to Top 10, WASC TC)

14. Do we need an OWASP Threat Modeling project?



Accomplishments:

1. An insight into how people have been doing threat modeling individually. There is no set standard used by people but everyone has their own.

2. Discussion on having an OWASP threat modeling project and let OWASP drive build and drive a standard which can be adopted by the industry.

3. Discussion on various components of threat modeling and how they fit into the process.


Output:

1. A unanimous vote to having an OWASP threat modeling project.

2. Promotion of such a project to not only security consultants but also having contributors from an end user organization to provide their feedback on challenges and such.

3. OWASP to promote the methodology to establish it as a standard in the industry.


Next Steps:

1. High level project roadmap with milestones.

2. Call for participants

3. Review existing resources within OWASP to align with threat modeling project.

4. Come up with a threat modeling methodology

5. Publish the first draft