[OWASP-TESTING] testing project part 1 - threat modeling

Mads Rasmussen mads at opencs.com.br
Mon Jul 5 12:54:59 EDT 2004

Howard and Le Blanc's book on secure coding writes explicitly why UML 
isn't a good choice for deposing the application being analyzed.

Is there any reason as to why UML was "chosen"? Wouldn't it be better to 
talk about Data Flow Datagrams that seems to be the standard modeling 
tool when modeling flow of data.

I don't for example agree with Use Case models being the best way to 
decompose an application being analyzed. It is handy to model what you 
want the application to do in the analysis phase but more information is 
needed when doing threat analysis (that's my opinion at least)

When modeling something within a time frame you have the sequence 
diagram from UML fitting perfectly.

As a commercial for DFD, it says at msdn, "Data flow diagrams (DFDs) and 
sequence diagrams can help with the formal decomposition of a system. A 
DFD is a graphical representation of data flows, data stores, and 
relationships between data sources and destinations. A sequence diagram 
shows how a group of objects collaborate in terms of chronological events.


There is another approach called Misuse/Abuse Cases, using the use cases 
made in the analysis phase to try abusing the system on a design level. 
This is great but I still think you need more information to do a fully 
threat analysis than is available on the design level.

There is some literature available on this, like:

http://www.cs.york.ac.uk/ftpdir/reports/YCS-2004-375.pdf (paper)

Please send comments!

Mads Rasmussen, M.Sc.
Open Communications Security
+55 11 3345 2525

More information about the Owasp-testing mailing list