So I owe you guys one more post. It's my description of the final phase of threat modeling.
What I was taught was that measurement is a phase that you can skip (it's not THAT important), and from a security perspective I would agree. But from a perspective of pleasing the managers above you, I would say that this is extremely important.
In the last article, I mentioned quantifying the vulnerability (so you can say “this is a 60 vulnerability“). I forgot to mention 1 more thing. You should note how much you think the fix (or the method of coding + testing in an appropriate manner, etc.) will cost. You should also quantify the vulnerability after the fix. You will probably not see a lot of change, but if you're stopping something like SQL injection, it will provide mitigations to a number of threats. One thing you could do is take the cost versus the number of points dropped in a mitigation (multiplied by the number of threats it appears in), and get a nice little dollar per points ratio (which sometimes makes managers happy.
The other thing that measurement gives you (especially in the before picture) is a way to determine things about a threat. “Should we worry about Denial of Service (DoS)? It's going to cost a lot to mitigate, and while DoS would be a pain, it's not that big of a deal.” It can also help you decide that maybe a new feature is way too risky. Measurement helps the team make decisions.
| posted on Tuesday, November 23, 2004 9:24 AM