Threat model track opening session

View the original Working Session content


  • Cheat sheets (one was created in 2017; three will be created in 2018)
  • One pager that explains what TM is, the different names for it, different methodologies etc.
  • A common set of data, that can be filtered according to different user needs, e.g. central security team, regulators, dev teams etc.
  • This set of data should be consumable, consistent, actionable, prioritise-able, and reusable
  • Decision to either rewrite or archive website material that is out of date, as the OWASP TM project is currently way down the list of Google search results. This decision will be made at the evening ‘update the website’ session.

Synopsis and Takeaways

  • This was an introductory session to allow participants to decide what will be covered in the Summit’s TM sessions.
  • Every session should be reflected on the OWASP TM Project website
  • They will feed into Fraser Scott’s sessions on Cloud Security
  • Steven explained the colegial and community-driven nature of the TM project which is reflected on the OWASP TM website:
    • Discussions will take place on the Project Slack channel
    • A Google doc will allow comments, updates
    • When Steven believes consensus has been reached on a topic, he will include the consensus view on the website, for further debate and discussion as appropriate.

Identified Questions

  • Most threat model methodologies answer one or more of the following questions:
    • What are we building?
    • What can go wrong?
    • What are we going to do about that?
    • Did we do a good enough job?
  • The TM Project will create a searchable database of techniques, methods, tools, and examples of all these questions.
  • What are the paramaters of a threat that should be captured in the proposed common set of reusable data? Initial discussions suggested the following as mandatory:
    • ID
    • Name and short description
    • Assets And the following as optional:
    • Tags
    • Link to Model

Important Conclusions

As this was an introductory session, the conclusions will develop as the week continues.


Additional/External References

Make a bullet list with additional references that might be useful in a given context

  • [OWASP Threat Modeling pages}(https://www.owasp.org/index.php/OWASP_Threat_Model_Project)
  • The Owasp TM GitHub website is under construction. When ready it will facilitate easier collaboration

Session organiser(s)

Steven Wierckx Steven Wierckx


Adam Shostack Adam Shostack , Aurelijus Stanislovaitis Aurelijus Stanislovaitis , Fraser Scott Fraser Scott , Matt Pendlebury Matt Pendlebury , Radu Tighineanu Radu Tighineanu , Ruben Tronçon Ruben Tronçon , Stephen Hookings Stephen Hookings , Tash Norris Tash Norris Zoltán L. Németh Zoltán L. Németh

Attached materials: