Asset-Oriented Threat Modeling - Université Bretagne Sud Accéder directement au contenu
Communication Dans Un Congrès Année : 2020

Asset-Oriented Threat Modeling

Résumé

Threat modeling is recognized as one of the most important activities in software security. It helps to address security issues in software development. Several threat modeling processes are widely used in the industry such as the one of Microsoft SDL. In threat modeling, it is essential to first identify assets before enumerating threats, in order to diagnose the threat targets and spot the protection mechanisms. Asset identification and threat enumeration are collaborative activities involving many actors such as security experts and software architects. These activities are traditionally carried out in brainstorming sessions. Due to the lack of guidance, the lack of a sufficiently formalized process, the high dependence on actors' knowledge, and the variety of actors' background, these actors often have difficulties collaborating with each other. Brainstorming sessions are thus often conducted sub-optimally and require significant effort. To address this problem, we aim at structuring the asset identification phase by proposing a systematic asset identification process, which is based on a reference model. This process structures and identifies relevant assets, facilitating the threat enumeration during brainstorming. We illustrate the proposed process with a case study and show the usefulness of our process in supporting threat enumeration and improving existing threat modeling processes such as the Microsoft SDL one.
Fichier principal
Vignette du fichier
TrustCom2020-soumission.pdf (384.46 Ko) Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)
Loading...

Dates et versions

hal-02990919 , version 1 (05-11-2020)

Identifiants

  • HAL Id : hal-02990919 , version 1

Citer

Nan Messe, Vanea Chiprianov, Nicolas Belloir, Jamal El-Hachem, Régis Fleurquin, et al.. Asset-Oriented Threat Modeling. TrustCom 2020 - 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Dec 2020, Guangzhou, China. pp.1-11. ⟨hal-02990919⟩
281 Consultations
1440 Téléchargements

Partager

Gmail Facebook X LinkedIn More