[WEB SECURITY] Application Threat Modeling.

Ryan Barnett rcbarnett at gmail.com
Fri May 28 08:32:18 EDT 2010


If you are trying to start this initiative yourself and you need to get the attention/by-
in from others (specifically C-Level folks), they you might want to use data from the WASC 
Web Hacking Incident Database (WHID) - http://projects.webappsec.org/Web-Hacking-Incident-
Database

When you present WHID entries on real-world web compromises that are relevant to your 
organization (vertical market, specific outcomes that management is concerned with, etc...) 
it is more powerful than talking about these issues in theory.  You can effectively remove 
the debates of "Well, that would never happen to us" or "That vulnerability is not being 
targeted by bad guys".

--
Ryan C. Barnett
WASC Web Hacking Incident Database Project Leader
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
http://tacticalwebappsec.blogspot.com

On Thursday 27 May 2010 18:23:23 Sean Bates wrote:
> I am looking for some advice on how to start an Application Threat
> Modeling initiative at my company. This activity is part of our
> overall strategy for protecting our web assets. My question is
> specifically based around how to start this program. I am looking for
> success stories, training, books, gotcha's, effective tools and
> general experiences that you have had with the process. I have looked
> at Microsoft's Visio plug-in and played with it but don't really have
> a feel for how effective the tool and the process are. So any advice
> that you could offer in regards to starting this program would be
> greatly appreciated.
> 
> Sean
> 
> ---------------------------------------------------------------------------
> - Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100528/a4ef28da/attachment.html>


More information about the websecurity mailing list