Menu
▾
▴
coras-users — Mailing list for CORAS users
You can subscribe to this list here.
| 2005 |
Jan
(6) |
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2007 |
Jan
(1) |
Feb
|
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2008 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
|
|
|
1
|
2
(2) |
3
|
4
|
5
|
|
6
|
7
|
8
|
9
|
10
|
11
|
12
|
|
13
|
14
|
15
|
16
|
17
|
18
|
19
|
|
20
|
21
|
22
|
23
|
24
|
25
|
26
|
|
27
|
28
|
29
|
30
|
31
|
|
|
|
From: Dexter B. <ms...@ms...> - 2007-05-02 19:12:31
|
hello,
I have been given an assignment to conduct a Threat Assessment on an
applications authentication and authorization sub-systems. I did extensive
research using ACM, IEEE Computer Society and even ProQuest to find a
suitable Threat Assessment methodology but was unable to find any. I did
find Threat Modelling and Risk Analysis methodologies, but nothing that
specifically stated 'Threat Assessment'.
I have surmised that most risk analysis methodologies, such as CORAS,
probably possess a threat assessment component. I have installed CORAS tool
2.0.3 and studied the framework thoroughly, but I am uncertain as to which
activities constitute a threat assessment. I am thinking that a threat
assessment exercise using CORAS should proceed as follows. From the CORAS
framework, the risk analysis technique should be executed as was
demonstrated in the Raptis, Dimitrakos, Axel Gran & Stølen 2002 trial. The
CORAS methodology from start through 2.2 should be employed to drive this
process. The vulnerability assessment will be excluded because it is beyond
the scope of a threat assessment. The CORAS tool will be used where possible
to document the process.
Can anyone confirm whether this is the correct approach for a Threat
Assessment using CORAS? Also, I don't seem to be able to create UML diagrams
with the tool. The menu otption is available, but I don't see how the
symbols are created on the UML diagram tab. Is UML only an import functiuon?
Thanks for any feedback.
DRB
|
|
From: Dexter B. <ms...@ms...> - 2007-05-02 13:16:37
|
<html><div style='background-color:'><P><BR><BR></P> <DIV class=RTE> <P>I have been given an assignment to conduct a Threat Assessment on an applications authentication and authorization sub-systems. I did extensive research using ACM, IEEE Computer Society and even ProQuest to find a suitable Threat Assessment methodology but was unable to find any. I did find Threat Modelling and Risk Analysis methodologies, but nothing that specifically stated 'Threat Assessment'. </P> <P>I have surmised that most risk analysis methodologies, such as CORAS, probably possess a threat assessment component. I have installed CORAS tool 2.0.3 and studied the framework thoroughly, but I am uncertain as to which activities constitute a threat assessment. I am thinking that a threat assessment exercise using CORAS should proceed as follows. From the CORAS framework, the risk analysis technique should be executed as was demonstrated in the Raptis, Dimitrakos, Axel Gran & Stølen 2002 trial. The CORAS methodology from start through 2.2 should be employed to drive this process. The vulnerability assessment will be excluded because it is beyond the scope of a threat assessment. The CORAS tool will be used where possible to document the process.</P> <P></P> <P></P> <P>Can anyone confirm whether this is the correct approach for a Threat Assessment using CORAS? Also, I don't seem to be able to create UML diagrams with the tool. The menu otption is available, but I don't see how the symbols are created on the UML diagram tab. Is UML only an import functiuon? Thanks for any feedback.</P> <P>DRB</P> <P> </P><FONT face=Arial size=2></FONT></DIV></div></html> |