[Owasp-leaders] OWASP Threat Modeling Project - Call for Volunteers/Contributors

Anurag Agarwal (OWASP) anurag.agarwal at owasp.org
Mon Apr 4 15:06:41 EDT 2011

Hi John - Thanks for your feedback. I am very happy to see different people
are writing books on threat modeling (I know Tony/Marco are working on a
book too). This is going to be very helpful in bringing it mainstream. As
for OWASP threat Modeling methodology, I am more interested in implementing
it in SDL phase rather than for pen testers. In my view, the output of
Threat Modeling should be consumed by pen testers and not the other way

Different methodologies can be useful for people who are highly experienced
in this field but having an OWASP methodology will help numerous companies
to agree upon a common approach and can serve as a starting point. Once they
become mature, they can explore other options. 

One of my objective in this project is to bring people like yourself, Marco,
Tony, Edward, etc who are already doing a lot of Threat Modeling in their
companies or at their clients, and use their knowledge and experiences to
come up with a practical threat modeling methodology as a first release and
mature it over a period of time based on the feedback from the community.

I will definitely check out the resources that you mentioned and maybe we
can cross reference for everyone to see each other's work.


Anurag Agarwal
MyAppSecurity Inc
Cell - 919-244-0803
Email - anurag at myappsecurity.com
Website - http://www.myappsecurity.com
Blog - http://myappsecurity.blogspot.com
LinkedIn - http://www.linkedin.com/in/myappsecurity 

-----Original Message-----
From: jsteven at maladjustment.org [mailto:jsteven at maladjustment.org] On Behalf
Of John Steven
Sent: Monday, April 04, 2011 1:59 PM
To: owasp-leaders at lists.owasp.org
Cc: Anurag Agarwal (OWASP); Jack Mannino
Subject: Re: [Owasp-leaders] OWASP Threat Modeling Project - Call for


I would be happy to volunteer. I committed myself to
"sharing/donating" a threat modeling cookbook "Move to Mobile"
already. Previously, I'd suggested collaborating on such a cookbook
with others but it's proven too difficult to keep people motivated.
So, I'm committed to delivering the rev1 cookbook myself.

Because the cookbook will take time, I've begun blogging about it here:


 and set up a Google Group so that people interested  can augment,
discuss, or extend here:


Currently, this page extends little beyond our OWASP NoVA chapter.
This is not the exclude any of the other fine OWASP practitioners that
teach their own flavor of threat modeling in their local (or global)
stages--everyone is welcome to participate in our little group. If
you'd like to reference / co-opt the group to augment your wiki page,
by all means do so.

Your page provides an introductory overview but remember that several
threat modeling methodologies exist. For instance, while the page
indicates a "Microsoft" threat modeling method, it's important to
remember that Microsoft SDL practitioners recognize two methodologies
themselves internally: one penetration testers use and one more
commonly used by the development teams and their QA staff in SDL. To
me, unifying threat modeling methodologies is a dangerous first step
(religious preference is often fought with a fierceness seldom
otherwise seen).  Rather than attempting to unify aspects of differing
methodologies, I thought, "Why not throw an example of a
methodology--executed on an 'less well understood application
arch-type against the wall" and see if people find any of it useful in
a concrete way?" Thus, the cookbook.

Towards the cookbook end, I have been communicating out of band with
Jack Mannino but only informally thus far. Cookbook goals are

* Show 'who' (threats) from a more classic n-tier web-application
translate into a mobile space, and how the mobile channel adds  'what'
(vectors), and 'where' (surfaces) to existing applications explicitly
and concretely
* Provide a framework of considerations for those developing mobile
apps back-ended by web/service provisions
* Share previously proprietary Cigital methodology/experience w/ OWASP

These specific goals might not align entirely with the broader threat
modeling group--but that's fine. Once I produce the cookbook, I reckon
donating it will allow the community to take with it and do as they
please (Which could include ignoring it)But, as the metaphor implies:
good recipes are meant to be practiced, shared (preferably with
drink), experimented with, and improved.   ;-)


On Mon, Apr 4, 2011 at 12:59 PM, Anurag Agarwal (OWASP)
<anurag.agarwal at owasp.org> wrote:
> Hi Guys - We had a good working session on OWASP threat modeling
> at OWASP Portugal summit. I have updated the discussion points with next
> steps on OWASP Threat Modeling project page.
> http://www.owasp.org/index.php/OWASP_Threat_Modelling_Project
> We are currently seeking volunteers to contribute to the project. I am
> copying the next steps from the wiki page to the mail below.
> 1. High level project roadmap with milestones.
> 2. Call for participants
> 3. Review existing resources within OWASP to align with threat modeling
> project.
> 4. Come up with a threat modeling methodology
> 5. Publish the first draft
> Please subscribe to the mailing list
> https://lists.owasp.org/mailman/listinfo/owasp-threat-modelling-project
> Feel free to reach out to me in case you have any questions or need
> additional information.
> Thanks,
> Anurag Agarwal
> MyAppSecurity Inc
> Cell - 919-244-0803
> Email - anurag at myappsecurity.com
> Website - http://www.myappsecurity.com
> Blog - http://myappsecurity.blogspot.com
> LinkedIn - http://www.linkedin.com/in/myappsecurity
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Phone: 703.727.4034
Web: http://goo.gl/Y5d2y

More information about the OWASP-Leaders mailing list