Open Pat-Duarte opened 2 years ago
retrieved input from slack archive:
hey I wonder if it might be worth investing more in the definitions? I think the distinction between ’Application Risk Profile” and “Threat Modelling” is a good one
I’m interested in the emphasis on the artefact or output in the first “Application Risk Profile” as opposed to the activity of “Application Risk Profiling” (edited)
whereas “Threat Modelling” is more focussed on the activity. I like this emphasis, especially in the agile SLDC context (i’m aware OpenSAMM is not limited to only agile approaches) (edited)
in terms of definitions, I understand you are calling the combination of an ‘Application Risk Profile’ (focussed on risk and business concerns) with ‘Threat modelling’ (focus on system and technical concerns) ‘Threat Assessment’
also with a compliance hat on, I am interested in how you see this relating to Risk Assessment? for example would a mature ‘Threat Assessment’ practise fulfil or go a way towards fulfilling the risk assessment requirements in NIST 800-53 (i.e. NIST 800-37 tier 3 risk assessment) and/or for a ISO27001 scoped to a software development project clause 6.1.2 and 6.1.3 (Planning > Risk assessment & Risk Treatment) (edited)
one more thought - would it be worth calling out various methodologies folks could use to fulfil these goals? (edited)
this is a candidate to add to Definitions and to add more Guidance for the Threat Assessment
https://owasp.slack.com/archives/C1CS3C6AF/p1548843039188300?thread_ts=1548744429.173300&cid=C1CS3C6AF hey I wonder if it might be worth investing more in the definitions? I think the distinction between ’Application Risk Profile” and “Threat Modelling” is a good one PLUS rest of discussion/thread ...
History from old repo: @SebaDele opened this issue on Mar 24, 2019 @23bartman 23bartman self-assigned this on Mar 26, 2019