The advantage of a ticketing system is that it’s easy to crosslink with mitigations or individual development tickets being implemented. a private GitHub repository) or a spreadsheet to store enumerated threats. In terms of storing the threats once enumerated, a first-order approach is to use an existing ticketing system (e.g. The threat modeling may also use existing attack libraries (like MITRE CAPEC) to aid in threat enumeration. Some of the above mentioned tools provide assistance for the threat enumeration process, using an existing methodology like STRIDE-per-element (in the case of Microsoft TMT and Threat Dragon), although these can only be used as an aid and need to be critically evaluated by the threat modeler to determine their relevance, and to add other potentially relevant threats. Some tools like OWASP Threat Dragon, Microsoft’s TMT and draw.io also provide a GUI to aid in this step. All of these tools enable one to generate the data flow diagrams from the version controlled DFD data. On an continuous basis having the DFD elements and data flows stored in a version-controllable format like XML (as draw.io does), YAML (as threagile or threat-modeling does) or directly as code (as pytm does) is ideal. How to generate and store the diagrams?įor an initial iteration, taking a picture of a sketch or whiteboard drawing can be sufficient. When going about the above steps, several questions immediately come up, some of which have existing solutions in the ecosystem, and some of which do not. This means that tools or processes that can aid the threat modeler perform these tasks on a continuous basis can be of great value. if attacker capabilities or motivations change. Even if a design remains static, the threats and mitigations should still be evaluated periodically as the threat landscape may evolve, e.g. When the design of a system is modified, the threat modeling exercise may be performed again, resulting in needing to pass through the above steps again. determines which mitigations should be applied.Īutomated tools can potentially aid the threat modeler in each of these stages.enumerates threats using the diagram(s) as an aid, and then.generates at least one Data Flow Diagram (DFD) or other diagrams that model the software,.When performing software-centric threat-modeling on an application 1, one typically:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
June 2023
Categories |