Thursday, July 28, 2011
Risk Modeling, not "Threat Modeling"
Thanks to the great new book Metasploit (review pending), I learned of the Penetration Testing Execution Standard. According to the site, "It is a new standard designed to provide both businesses and security service providers with a common language and scope for performing penetration testing (i.e. security evaluations)." I think this project has a lot of promise given the people involved.
I wanted to provide one comment through my blog, since this topic is one I've covered previously. One of the goals of the standard is to name and explain the steps performed in a penetration test. One of them is currently called "threat modeling," and is partly explained using this diagram:
When I saw elements called "business assets," "threat agents," "business process," and so on, I realized this is more of a risk model, not just a "threat model."
I just tagged a few older posts as discussing threat model vs risk model linguistics, so they might help explain my thinking. This issue isn't life or death, but I think it would be more accurate to call this part of the PTES "Risk Modeling."