[Owasp-leaders] OWASP Threat Modeling Project - Call for Volunteers/Contributors
John.Steven at owasp.org
Mon Apr 4 13:58:43 EDT 2011
I would be happy to volunteer. I committed myself to
"sharing/donating" a threat modeling cookbook "Move to Mobile"
already. Previously, I'd suggested collaborating on such a cookbook
with others but it's proven too difficult to keep people motivated.
So, I'm committed to delivering the rev1 cookbook myself.
Because the cookbook will take time, I've begun blogging about it here:
and set up a Google Group so that people interested can augment,
discuss, or extend here:
Currently, this page extends little beyond our OWASP NoVA chapter.
This is not the exclude any of the other fine OWASP practitioners that
teach their own flavor of threat modeling in their local (or global)
stages--everyone is welcome to participate in our little group. If
you'd like to reference / co-opt the group to augment your wiki page,
by all means do so.
Your page provides an introductory overview but remember that several
threat modeling methodologies exist. For instance, while the page
indicates a "Microsoft" threat modeling method, it's important to
remember that Microsoft SDL practitioners recognize two methodologies
themselves internally: one penetration testers use and one more
commonly used by the development teams and their QA staff in SDL. To
me, unifying threat modeling methodologies is a dangerous first step
(religious preference is often fought with a fierceness seldom
otherwise seen). Rather than attempting to unify aspects of differing
methodologies, I thought, "Why not throw an example of a
methodology--executed on an 'less well understood application
arch-type against the wall" and see if people find any of it useful in
a concrete way?" Thus, the cookbook.
Towards the cookbook end, I have been communicating out of band with
Jack Mannino but only informally thus far. Cookbook goals are
* Show 'who' (threats) from a more classic n-tier web-application
translate into a mobile space, and how the mobile channel adds 'what'
(vectors), and 'where' (surfaces) to existing applications explicitly
* Provide a framework of considerations for those developing mobile
apps back-ended by web/service provisions
* Share previously proprietary Cigital methodology/experience w/ OWASP community
These specific goals might not align entirely with the broader threat
modeling group--but that's fine. Once I produce the cookbook, I reckon
donating it will allow the community to take with it and do as they
please (Which could include ignoring it)But, as the metaphor implies:
good recipes are meant to be practiced, shared (preferably with
drink), experimented with, and improved. ;-)
On Mon, Apr 4, 2011 at 12:59 PM, Anurag Agarwal (OWASP)
<anurag.agarwal at owasp.org> wrote:
> Hi Guys - We had a good working session on OWASP threat modeling methodology
> at OWASP Portugal summit. I have updated the discussion points with next
> steps on OWASP Threat Modeling project page.
> We are currently seeking volunteers to contribute to the project. I am
> copying the next steps from the wiki page to the mail below.
> 1. High level project roadmap with milestones.
> 2. Call for participants
> 3. Review existing resources within OWASP to align with threat modeling
> 4. Come up with a threat modeling methodology
> 5. Publish the first draft
> Please subscribe to the mailing list
> Feel free to reach out to me in case you have any questions or need
> additional information.
> Anurag Agarwal
> MyAppSecurity Inc
> Cell - 919-244-0803
> Email - anurag at myappsecurity.com
> Website - http://www.myappsecurity.com
> Blog - http://myappsecurity.blogspot.com
> LinkedIn - http://www.linkedin.com/in/myappsecurity
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
More information about the OWASP-Leaders