Threat Modelling Project RoadmapView the original Working Session content
Description of session
The purpose of this session is to introduce the project and create a rough roadmap of deliverables for the project during the summit. The project is currently a documentation project, but it lacks documentation; one of the key objectives of the week will be to produce documentation.
- Set Objectives for the track for the summit
- Spoke on project structure (there are a number of sub-projects that are being set up as separate projects e.g. Threat Model cookbooks) ..* A question was put to the group on whether the separate project was acceptable ..* The group liked the idea of autonomy of such a format but that if they differ in ownership they should be all in ‘one place’ to allow for easy access for consumers.
- Discussed upcoming sessions and how they meet the intent of the project (get stuff documented) and (if relevant) how they link to other OWASP projects.
- Discussed the crossover of other OWASP projects and how some upcoming sessions will cover that crossover and collaboration. e.g. Automated Threat Handbook and Cloud Security Project.
- List of sub-modules we want to see in the OWASP project created.
Synopsis and Takeaways
- Creation of a list of sub-projects with ownership
OWASP TM Project Modules
It may be possible to combine some of the following items under existing / new sub-modules:
- Examples (TM Cookbook)
- Attack/ Mitigation Library
- TM Methodologies
- TM Frameworks
- Education - OWASP Training
- Academia - Research papers
- Practical tips ..* Versioning ..* Inheritance
- Implementation tips/ tricks (agile vs waterflow tips etc)
- Cheat Sheets (existing)
- Meta definition for threat models (DSL workshop Thurs)
- Tools -> Questionnaire (to add tools and tool info - G-questionnaire?) ..* Description ..* What methodology framework do they implement ..* Meta data on tools / tool categorisation (which of the 4 TM questions does the tool answer)
- Case studies (from various experiences on threat modeling in different environments - covering both successes and failures)
- Glossary / taxonomy
- Who are the customers of the Threat Model projects?
- What is the project structure?
- Should there be separate projects or sub-project modules?
- How is ownership defined for the various threat model projects?
- Is anyone looking at creating a new threat modeling tool?
- Should we perform a call for TM data (Top 10 style?)
- Should we threat model the DevSlop CI/CD pipeline using different frameworks to compare?
- Should we update the Juice Shop threat model (either re-do or call out the version that was threat modelled)?
- Why aren't more people contributing to the project? How do we make it frictionless?
- Is the project outline on the OWASP website accurate still?
- Define owners for each module suggested and ensure the owners are set up with wiki access.
- Threat Taxonomy Tash mentioned: https://www.synopsys.com/blogs/software-security/threat-modeling-vocabulary/
- OWASP Devslop project (automated security testing within the CI/CD) https://devslop.co/