[Owasp-austin] List/group active?

Matthew Franz mdfranz at gmail.com
Wed Jun 28 19:42:19 EDT 2006


Dan,

Thanks for the link. While that as good an introduction to the
topic/Microsoft approach I was looking for something beyond the 101
level, because I've found the devil is in the details, whether you are
doing threat modeling or attack trees or whatever you want to call it.

While it would be a mistake to ignore all that Microsoft has published
and released, it is far from perfect. STRIDE for example, which
conflates attacker techniques/methods with goals. And the 1st release
of the TM tool was sort of limiting in that you were pretty much
locked into their approach which is why I've ended up using Freemind
on a number of projects.

See http://iang.org/maps/browser_attack_tree.html for an example

Perhaps do some sort sort generic threat models (kind of like what I
did for routing protocols several years back in
http://www.threatmind.net/oldio/papers/draft-convery-bgpattack-01.txt)
for an application server, servlet/J2EE container, or perhaps a
specific appserver like JBoss or Geronimo.

- mdf


On 6/28/06, Dan Cornell <dan at denimgroup.com> wrote:
>
> > And threat modeling (especially if anyone is actually using
> > it and clients find it useful).
> >
>
> OWASP San Antonio did a presentation on Threat Modeling about a year
> ago.  The slide deck can also be found here:
> <http://www.denimgroup.com/knowledge/>  Search for the text "Threat
> Modeling"
>
> I need to get historical info ported over from the old OWASP San Antonio
> section on the OWASP site - just haven't had the time yet.
>
> Thanks,
>
> Dan
>
> _______________________________________________
> Owasp-austin mailing list
> Owasp-austin at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-austin
>


-- 
Matthew Franz
http://www.threatmind.net



More information about the Owasp-austin mailing list