|
When project teams are ready to address security, they sometimes stumble for lack of a good, all around threat list to use in threat modeling. A number of lists can be found on the internet, but the best foundation list is derived from ISO 15408, the standard used by independent laboratories to evaluate the trust levels of commercial products.
ISO 15408 Standard for Information Technology Security Evaluation is the international standard known as the "Common Criteria." While it was designed for benchmarking commercial products, its assets can be effectively used to guide project teams in building products that take a "Defense in Depth" approach to security protection.
Many (in fact, most) threats detailed in the standard cannot be directly handled programmaticallly. Many address physical environment, system interdependencies, user and administrative processes and procedures, and human fault and ethics. Nevertheless, creative project teams understand that by creating security focused documentation and user manuals, and by recommending security focused administrative and management protocols, they can have a huge influence on how security threats outside their zone of responsibility--but affecting their product--will be handled.
Use this standard as the foundation threat list on your projects, and supplement it with lists that are technology, environment or function specific to ensure you are taking a true, comprehensive approach to product security protection.
Walk through the presentation during a group threat modeling brainstorm session: ISO 15408 Common Criteria Threat List
Record your Brainstorm session results in: Threat Modeling Brainstorm Session Record
Back to Tools & Techniques
|
Resources 
