Open stevespringett opened 1 month ago
Scope is important -- I think adding monetary values to a TM is likely a bridge too far.
Attack trees are a representation of relationships between threats (and possibly mitigations and other stuff) and not a fundamental unit.
More generally, I think that a threat model may not be the thing you want to track in a BOM. I think what I want as a consumer is not the analysis (threat modeling as a verb) or the results (threat modeling as a noun), but the things that I, as a consumer care about: the accepted/transferred/residual dangers associated with the thing. I think that includes some elements like:
But the transferred risks are more broad.
There have been several discussions with the threat modeling community, from users and open source and commercial vendors, to add support for natively representing threat models in CycloneDX.
Currently, threat models can be represented via an external reference and the threat model can either point to a URL and be inline via a data component. This allows capturing everything from OTM and MS TMT output.
There has recently been a desire by tool vendors to use OTM as a potential short-term solution and leverage CycloneDX as a long term solution. This would allow, for example, a native threat model to be represented in CycloneDX which would describe any component or service such as an application, AI model, or web service.
BOM-Link would be used to point the existing
threat-model
external reference to the threat model, either in the same BOM or in a dedicated TM-BOM.This ticket is to track the proposed enhancement to the core specification that would add: