-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How are "target" and its relevant "condition" extracted from a particular threat? #208
Comments
Hi, Currently there is no logic for inheriting attributes from other attacks, so you will have to copy the parent threat and modify it. In my opinion the most important information threat modelling gives you is the knowledge of a potential threat. The severity and the likelihood depend on the software and the environment in which the software is used. What is the severity if we find an information disclosure threat? If you don't know the environment in which your software will be used then you can't make this decision. Then you will need to either mitigate just in case someone will use it with sensitive data or you could inform the users of your software about the potential risk. To conclude the severity and likelihood are very context sensitive and can only be absolute if the context in which the software is executed is fully known. E.g. you run your own software or your users tell you how they use your software. This is also the reason why you can use different threat libraries, so that you can adapt it to your needs and your users needs. |
The whole attribute system was kept open and easy to extend on purpose, as there is no way to encompass the whole gamut of options beforehand. The idea is "if a rule needs an attribute, create the attribute and create the rule". At this point logic interaction between attributes outside of rules is almost non-existent, so that doesn't create many ripples. People are free to extend Elements as they see fit and create specialized elements, or to enrich the existing ones. I agree 100% wich @raphaelahrens on the severity and likelihood comments. In fact this is an area I am actively engaged in these days, and trying to get as much clarity on the boundaries between automated and manual as possible. |
Thanks for your replies, @izar and @raphaelahrens. Looking at your code and the way you extracted the conditions w.r.t. CAPEC is still questioning me. @izar I believe you considered the "prerequisites" field in conjunction with the "Related Weaknesses" to come up with the "proper" conditions, right?
I think those rules in the "condition" field are more your interpretations about the threat. Am I right? Thank you, and I look forward to hearing from you. |
Most of the translation from CAPEC into threats was done by @avhadpooja - she can better give details on the process. |
Hi, this is the process I used:
hope that helps! |
I've been looking at the source code and trying to automate the logic extraction from the threat information. I've got a couple of questions:
Thank you.
The text was updated successfully, but these errors were encountered: