Pre-built threats from OWASP #66
Comments
|
Great idea! It would be awesome to have templates of pre-built threat models that users can start off with, instead of loading / creating their own. |
|
This is the way that the Microsoft Threat Modeling Tool (TMT) works - STRIDE is evaluated for each element and data flow and threats are automatically generated. I'd like to see this tool do the same. |
|
👍 Definitely sounds like the way to go. We had discussed STRIDE and TMT as a team while developing. I definitely want to have a repository of threats that are associated with elements and data flows. It would be great to pull threats from OWASP automatically, however since it is in a Wiki format we may have to do a lot of the grunt work right now. A database & API of threats would be great! What about having a repository for Threats and their relationships to elements and flows? Pull Requests could be submitted to this repository and we could gradually grow to support many more threats than TMT.
Said repository could reside in SeaSponge's repository here. We could have a directory with multiple files or a large JSON / YAML file with each of the threats and their meta data. I'd like to make this easy enough to maintain and add to that users will feel comfortable contributing to and adding more threats on their own. /cc @Frozenfire92 Thoughts? |
I like this idea, but it would be interesting if OWASP was interested in maintaining a repository that we could then pull from. This wouldn't limit any other interested parties from scraping our repo, but being able to contribute to a common official repo |
|
+1 have a repository of threats separate from but used by SeaSponge and maintained by OWASP would be great! |
Would be a nice feature to have a set of pre-built threats vs having users create every threat themselves. A good place to start would be the OWASP Top10 list. https://www.owasp.org/index.php/Main_Page
The text was updated successfully, but these errors were encountered: