[OWASP-TESTING] testing project part 1 - threat modeling
Andrew van der Stock
vanderaj at greebo.net
Tue Jul 6 08:24:27 EDT 2004
Mads,
The reason I mentioned UML is simple - most developers are now familiar with
it, and it is often all they can give me (if they have any doco at all).
I take your point, though. Maybe there is no one "good" method except to say
that decomposing an application is essential.
Abuse cases are interesting. They are like negative test artifacts. It
deserves an inclusion.
Would you like to re-write the chapter? I think that is probably the best
way to get a workable consensus.
Andrew
-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Mads
Rasmussen
Sent: Tuesday, 6 July 2004 2:55 AM
To: Owasp-Testing
Subject: [OWASP-TESTING] testing project part 1 - threat modeling
Howard and Le Blanc's book on secure coding writes explicitly why UML
isn't a good choice for deposing the application being analyzed.
Is there any reason as to why UML was "chosen"? Wouldn't it be better to
talk about Data Flow Datagrams that seems to be the standard modeling
tool when modeling flow of data.
I don't for example agree with Use Case models being the best way to
decompose an application being analyzed. It is handy to model what you
want the application to do in the analysis phase but more information is
needed when doing threat analysis (that's my opinion at least)
When modeling something within a time frame you have the sequence
diagram from UML fitting perfectly.
As a commercial for DFD, it says at msdn, "Data flow diagrams (DFDs) and
sequence diagrams can help with the formal decomposition of a system. A
DFD is a graphical representation of data flows, data stores, and
relationships between data sources and destinations. A sequence diagram
shows how a group of objects collaborate in terms of chronological events.
(http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx?p
ull=/library/en-us/dnnetsec/html/thcmch03.asp)
There is another approach called Misuse/Abuse Cases, using the use cases
made in the analysis phase to try abusing the system on a design level.
This is great but I still think you need more information to do a fully
threat analysis than is available on the design level.
There is some literature available on this, like:
http://www.computer.org/security/v2n3/bsi.htm
http://www.martinfowler.com/distributedComputing/abuse.pdf
http://www.cs.york.ac.uk/ftpdir/reports/YCS-2004-375.pdf (paper)
Please send comments!
--
Mads Rasmussen, M.Sc.
Open Communications Security
www.opencs.com.br
+55 11 3345 2525
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
owasp-testing mailing list
owasp-testing at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-testing
More information about the Owasp-testing
mailing list