[Net-sec-threat-modeling] Threat modelling form

Mariusz Kondratowicz mkondratowicz at opera.com
Sun May 5 11:46:39 MST 2019


Hi Fotis,

Good job, thank you!

1) Yes, I think we can exclude that question. It is too general. No need to
wait till next sync-up IMO.

2) Well, I changed from
"Are you willing to* make* architectural changes to your infrastructure..."
to "Are you willing to *consider making* architectural changes to your
infrastructure"
to address this concern of "unknown changes".
I think that having "Maybe" (which I understand as "It depends") makes this
question a bit redundant because I bet that 90% people will answer "maybe"
;)
The goal of this question is to build awareness that we will bring some
issues and we need very general and preliminary acknowledge that they are
going to at least consider to use our findings.
But if you think that this question can be more harmful than beneficial
then we can exclude them as well (as I said, I'm pretty new in Forum).

3) I'm considering to make one change in form: I think that most of
questions should be marked as "required". How do you think?

Regards,
Mariusz

*Mariusz Kondratowicz | Compliance Manager*
Opera Software International AS, Poland



On Sun, May 5, 2019 at 8:49 AM Fotis Loukos <fotisl at ssl.com> wrote:

> Hello everybody,
> I have prepared the threat modelling form and you can find it at the
> shared folder.
>
> A couple of remarks:
> 1) The first conceptual question (When to do threat modelling i.e. when
> and where?) seems ambiguous and as Mariusz noted, are we sure that it
> will provide valuable feedback as is? I didn't include it until we
> discuss about it (preferably at the list, we shouldn't wait till our
> next call).
> 2) At the 6th conceptual question (Are you willing to consider making
> architectural changes to your infrastructure in order to meet the
> requirements that may arise as output from the threat model?) instead of
> just Yes and No, I also added Maybe. I think that it's difficult to
> commit to making changes if you don't know them exactly.
>
> Please send your feedback and then I will have this circulated.
>
> Best regards,
> Fotis
>
> --
> Fotis Loukos, PhD
> Director of Security Architecture
> SSL Corp
> e: fotisl at ssl.com
> w: https://www.ssl.com
> _______________________________________________
> Net-sec-threat-modeling mailing list
> Net-sec-threat-modeling at cabforum.org
> http://cabforum.org/mailman/listinfo/net-sec-threat-modeling
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/net-sec-threat-modeling/attachments/20190505/6da976fa/attachment.html>


More information about the Net-sec-threat-modeling mailing list