|Organizers||Stephen de Vries Stephen de Vries|
|Participants||Paul Santapau, Jorge Esperon|
Threat Models can be assempled by using pre-written templates. But entire templates can be too large as a building block for a threat model. A smaller unit is called a Risk Pattern: a mini-template tied to a particular technology and/or use-case. Examples of risk patterns: - Transmitting sensitive data over untrusted networks - Single factor authentication against a web app - File upload to a web app
OWASP would be a great repository for a shared collection of risk patterns, so the first step is to define a format for these patterns.
In its most basic form a risk pattern can contain: - A description of the scenario for when the pattern applies - threat(s) - recommended countermeasure(s)
In order for risk patterns to be useful as a means for collaborating on describing parts of a threat model, they should: 1. Be easily editable by humans 2. Support versioning and comparability, so that proposed changes to a pattern can be reviewed/approved/rejected 3. Optionally, be parseable by tools to support automation
- A name for this format
- The defined format itself
- An example
Register as participant
To register as participant add
Define an Open Risk Pattern format to either:
sessionsmetadata field from your participant's page (find your participant page and look for the edit link).
- or the
participantsmetadata field from this git session page
Back to list of all Working Sessions