tag:blogger.com,1999:blog-4088979.post2239548264289718235..comments2008-02-12T17:59:22.746-05:00Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4088979.post-90820686989338400442008-02-12T17:59:00.000-05:002008-02-12T17:59:00.000-05:00I’m evaluating SDL for use in a new software system. I really liked SDL until I got to Chapter 9 on Risk Analysis. In this chapter, I’m having serious problems understanding the SDL terminology. After many re-reads of the chapter, I’m suspecting the problem is not my lack of intelligence, but instead, that the terminology has significant flaws. Further, these flaws lead me to wonder what other aspects of SDL might have problems.<BR/><BR/>Richard’s blog articles provide excellent insights on these terminology problems—thanks!<BR/><BR/>Some additional thoughts:<BR/> <BR/>* Richard identified that, in SDL, “threat” often means “vulnerability”. I’d add that, also, “threat” often seems to mean “potential vulnerability”, e.g., as in “Identify Threats to the System” on page 116 of the SDL book.<BR/><BR/>* In general, SDL might be clearer if the authors explicitly stated whether “threats” refer to *potential* or *actual* vulnerabilities, e.g., is the threat modeling process used to identify potential or actual vulnerabilities?<BR/><BR/>* At times, the term "threat” seems to make most sense as being “ways software can potentially be attacked”, or “ways hackers could attempt to attack software”, e.g., the STRIDE threat types as described on pg 114jimyuillhttp://www.blogger.com/profile/15515623918581564260noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-53440825690661533692007-10-04T19:00:00.000-04:002007-10-04T19:00:00.000-04:00Exploited vulnerabilities are a threat to Microsoft's public image they've fostered that they build secure software when the evidence is to the contrary. But they are not alone. I received an email from ISC(2) today about threat modeling. Richard is right that one has to get the terminology within context right or else people fail to communicate effectively.jbmoorehttp://www.blogger.com/profile/09751110750712243573noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-4427372067873891182007-10-04T08:19:00.000-04:002007-10-04T08:19:00.000-04:00I very much suspect that this misuse of terms comes from Microsoft marketing. They might have decided that there is no such thing as "vulnerability" to be mentioned in their books, hence they named it "threat".<BR/>While it isn't technically correct, it sounds like "oh look at us poor guys. we have to face a plethora of threads every day" instead of "look at us erring humans. we cannot guarantee that every line of code is free from unintended blunders"<BR/><BR/>Another example for marketing intentionally corrupting language.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-54914842385156199462007-10-03T13:45:00.000-04:002007-10-03T13:45:00.000-04:00Eleanor, do you mean www.octotrike.org? I hadn't heard of your project before -- neat.Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-25812805471160587292007-10-03T12:40:00.000-04:002007-10-03T12:40:00.000-04:00It's nice to see more people saying the same thing. I think part of the problem at MS comes from their insistence that they're trying to model the attacker, instead of modeling the system&mdash;when you think defensively and are trying to find all the ways that a system can be broken, not just a few, you need to understand the system's requirements and what security means in the system. This emphasis on requirements requires you to have a high level concept like threats, separate from implementation-level vulnerabilities.<BR/><BR/>It's a long way from being ready for prime time, and even the methodology talked about there is pretty out of date, but we have a tool (under development) and some other information online at http://octotrike.com. With luck, there will be some updates coming soon.Eleanor Saittanoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-77199846792875685272007-10-02T19:38:00.000-04:002007-10-02T19:38:00.000-04:00Agree that we could do better in the terminology area.<BR/><BR/>On Schneier's attack trees, the big problem I have is trying to record and visualise the data.<BR/><BR/>Microsoft have the "Threat Modelling GUI", which has the terminology wrong but at least starts to cover the requirement.<BR/><BR/>Are you aware of any other tools? Creating attack trees collaboratively would be a neat way to capture security knowledge.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-63079074932511672892007-10-02T16:18:00.000-04:002007-10-02T16:18:00.000-04:00@ Weber Ress<BR/>"this discussion isn't about security, threat modeling or SDL. It's about English Language, synonyms and grammar."<BR/><BR/>This is not only about Semantics. Any knowledge area must have a basic terminology like <A HREF="http://www.dtic.mil/doctrine/jel/doddict/natoterm_index.html" REL="nofollow">military terminology</A>. That's why ISO creates specific standards to define vocabulary like ISO Guide 73 and the ISO 27000 (the last one will be release soon).Gustavo Araujo Bittencourthttp://www.blogger.com/profile/03445897744346622932noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-39331332919339223232007-10-02T15:56:00.000-04:002007-10-02T15:56:00.000-04:00In my opinion, this discussion isn't about security, threat modeling or SDL. It's about English Language, synonyms and grammar. It's necessary check the context. The sentence "a threat is defined as an attacker's objective" is correct if you check inside a secure software development (for example) in a security context. If you analysis this sentence alone, you get "strange" results.Weber Resshttp://www.blogger.com/profile/08369527456935707526noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-54607379080857555072007-10-02T09:25:00.000-04:002007-10-02T09:25:00.000-04:00threat (thrĕt) pronunciation<BR/>n.<BR/><BR/> 1. An expression of an intention to inflict pain, injury, evil, or punishment.<BR/> 2. An indication of impending danger or harm.<BR/> 3. One that is regarded as a possible danger; a menace.<BR/><BR/>vulnerability<BR/> n 1: the state of being vulnerable or exposed; "exposure to<BR/> ridicule" or "vulnerability to litigation" [syn: exposure]<BR/> 2: susceptibility to injury or attack [ant: invulnerability]<BR/><BR/>Yes, technically it should be vulnerability assessment and modeling. The perspective is whether you are thinking defensively or offensively. If you are the defender, you are trying to minimize your vulnerabilities. If you are the attacker, you are creating threats to the defender or the defender's systems. If you can't create an exploit to take advantage of a vulnerability, then you are not a threat. It sounds like threat modeling and vulnerability assessment are two sides of the same coin, like an IDS team and a penetration team during a network security exercise.jbmoorehttp://www.blogger.com/profile/09751110750712243573noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-23090857759561840702007-10-01T19:57:00.000-04:002007-10-01T19:57:00.000-04:00hmmm, maybe if it's "wrong" in so many places, could it be that you're wrong?? And in fact, those definitions are "right?"<BR/><BR/>haha, I'm kidding. I agree with you on your definitions and it's important all of us are on the same page with our definitions or we will all end up just confusing ourselves and others.Marcinhttp://www.blogger.com/profile/02403324596880195518noreply@blogger.com