| Track: | Threat Model |
|---|---|
| When: | Thu PM-1 |
| Where: | Kings |
| Organizers | Steven Wierckx Steven Wierckx |
| Participants | Adam Shostack Adam Shostack , Aurelijus Stanislovaitis Aurelijus Stanislovaitis , Fraser Scott Fraser Scott , Sara Davis Sara Davis , Stuart Winter-Tear Stuart Winter-Tear , Tash Norris Tash Norris |
WHY
People are clueless on how to start with threat modeling. I propos we create a guide i the style of ASVS where we show in different levels what the steps are that can be done for threat modeling depending on the need and/or maturity of the organisation.
What
A guide with some levels such as: level 0: you are not doing TM or something ad hoc level 1: you are answering some of the 4 questions but not in a structured way level 2: you do a full 4 question TM for one product level 3: you intregated the full TM in the SDLC and vary the amount/level of the TM according to the risk appetite of that application/system/product
Outcomes
The table of contents for the guide and some content.
References
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
Register as participant
To register as participant add Threat model guide to either:
- the
sessionsmetadata field from your participant's page (find your participant page and look for the edit link). - or the
participantsmetadata field from this git session page
Back to list of all Working Sessions