Skip to Main content Skip to Navigation
Conference papers

Asset-Oriented Threat Modeling

Abstract : Threat modeling is recognized as one of the most important activities in software security. It helps to address security issues in software development. Several threat modeling processes are widely used in the industry such as the one of Microsoft SDL. In threat modeling, it is essential to first identify assets before enumerating threats, in order to diagnose the threat targets and spot the protection mechanisms. Asset identification and threat enumeration are collaborative activities involving many actors such as security experts and software architects. These activities are traditionally carried out in brainstorming sessions. Due to the lack of guidance, the lack of a sufficiently formalized process, the high dependence on actors' knowledge, and the variety of actors' background, these actors often have difficulties collaborating with each other. Brainstorming sessions are thus often conducted sub-optimally and require significant effort. To address this problem, we aim at structuring the asset identification phase by proposing a systematic asset identification process, which is based on a reference model. This process structures and identifies relevant assets, facilitating the threat enumeration during brainstorming. We illustrate the proposed process with a case study and show the usefulness of our process in supporting threat enumeration and improving existing threat modeling processes such as the Microsoft SDL one.
Complete list of metadatas

Cited literature [37 references]  Display  Hide  Download

https://hal.archives-ouvertes.fr/hal-02990919
Contributor : Nicolas Belloir <>
Submitted on : Thursday, November 5, 2020 - 5:42:51 PM
Last modification on : Monday, November 23, 2020 - 11:20:19 AM

File

TrustCom2020-soumission.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-02990919, version 1

Citation

Nicolas Belloir, Nan Messe, Vanea Chiprianov, Jamal El-Hachem, Régis Fleurquin, et al.. Asset-Oriented Threat Modeling. TrustCom 2020 - 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Dec 2020, Guangzhou, China. pp.1-11. ⟨hal-02990919⟩

Share

Metrics

Record views

197

Files downloads

44