[WEB SECURITY] Attack Tree
Ankur Jindal
divinepresence at gmail.com
Mon Mar 5 22:34:22 EST 2007
Yep
I've been looking at the MS threat modeling tool also alongside. I
understand that a lot depends on my ability to identify flaws and
vulnerabilities with some contribution from tools
(commercial/freeware).
I'll describe a little more about what I am doing. I am working on
developing a threat model for a client. I have very basic information
(components, functionalities and overall business view) about his
application. Based on that I have identified applicable threats.For
those threats he wishes that I present him an attack tree so that he
himself can see the attack surface. I have been referring the Top 10
and the testing guide as well. The incomplete entries that I mentioned
were in the category attack articles. I do believe that OWASP in
itself is quite a comprehensive testing guide.
Thanks all
Ankur
On 3/6/07, Dinis Cruz <dinis at ddplus.net> wrote:
> You should also check out the
> http://www.owasp.org/index.php/OWASP_Testing_Project
>
> And for attack trees, Microsoft did play with them in the original versions
> of its Threat Models and gave up due to its complexity and 'hard-to-read'
> problems (at least that is my perception)
>
> Dinis Cruz
> Chief OWASP Evangelist
> http://www.owasp.org
>
>
> On 3/5/07, foo <diopollon at gmail.com> wrote:
> > imho owasp top ten
> > *http://www.owasp.org/index.php/OWASP_Top_Ten_Project*
> (and his
> > history) cover almost all kind of attacks...
> >
> > and then.. as far as I know, depends from application to application
> > since *you* could nt discribe all kind of...
> > ie. some applications have some logical flaw other are not secure by
> > design and so on....
> >
> > Finally Is in your ability to find some bugs in the application, just
> > follow a methodology...
> >
> > cheers,
> > dio barbone
> >
> > 2007/3/5, Ankur Jindal <divinepresence at gmail.com>:
> > > Hi
> > > Is there any list of attacks or an basic attack tree that one could
> > > refer to start out on an application pen test? The OWASP attack list
> > > has a lot of incomplete entries.
> > >
> > > Thanks
> > > Ankur
> > >
> > >
> ----------------------------------------------------------------------------
> > > Join us on IRC: irc.freenode.net #webappsec
> > >
> > > Have a question? Search The Web Security Mailing List Archives:
> > > http://www.webappsec.org/lists/websecurity/
> > >
> > > Subscribe via RSS:
> > > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> > >
> > >
> >
> >
> ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> >
>
>
>
> --
>
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list