Is ETSI TVRA TS 102 153 165-1 a risk assessment tool or threat modeling tool? And what's the justification? The purpose of the question is to be able to answer if TVRA is suitable to be mapped to Microsoft's SDL and at which practice ("PRACTICE #4: PERFORM SECURITY AND PRIVACY RISK ASSESSMENTS" from the Requirement phase or "PRACTICE #7: USE THREAT MODELING" from the Design phase).
Asked
Active
Viewed 558 times
-2
-
From a document that I *think* you are referring to: "The present document defines a method for use by ETSI standards developers in undertaking an analysis of the threats, risks and vulnerabilities of a telecommunications system." So, it's both? Why do you need a differentiation? – schroeder Sep 05 '16 at 19:51
-
I need to differentiate between risk analysis and threat modeling in order to map the right tool to the right practice on Microsoft SDL.There the risk analysis is part of the requirement phase while the threat analysis is part of the design phase (they use STRIDE). – MFM Sep 06 '16 at 06:05
1 Answers
2
For purposes of mapping to Microsoft's SDL, this is closer to how we* talked about threat modeling. I'm unsure of the purpose of this document, which looks like it took a lot of work, but at a skim, it's unclear why that work was done.
- we = the MS SDL team, of which I was a member from 2006-2010, responsible for threat modeling and other bits.
Adam Shostack
- 2,659
- 1
- 10
- 12
-
Thank you Adam for your answer, it's great to get a feedback from an MS SDL team member! Can you plz explain why do you see TVRA more like a threat modeling tool? I can see that it has large activities on risk assessment, then it incorporates mitigation but it lacks any data flow analysis. – MFM Sep 07 '16 at 10:11
-
@MFM There's a lot of architectural detail, threat detail and mitigation detail. The risk assessment in early phases is more structured to "does windows need to do everything in SDL? Does MS Cats & Dogs need to do everything, deeply?" – Adam Shostack Sep 07 '16 at 15:25