Review of threat trees from Doyle, Bill on 2007-06-27 (public-wsc-wg@w3.org from June 2007)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Wed, 27 Jun 2007 12:59:13 -0400
To: "Doyle, Bill" <wdoyle@mitre.org>, "Rachna Dhamija" <rachna.w3c@gmail.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B58018A223A@IMCSRV5.MITRE.ORG>

Tyler, started a review - stopped in item 4, will get back to it.
 
Seems like we have some issues with threat trees.
 
I noted items that I thought had scope issues
 
1. luring attacks
 D. all
 E  all  
 F  all
 
2.Site impersonation
 A. ii.
 
4. Cross-site scripting - only interested in is how the user agent
responds to certain attacks in this class.
 
>From text, the pretense of the attack is injection of cone into
vulnerable web applications, server side processing is out of scope and
attacking the server is out of scope.
 
Thought - Restructure section to note user agent actions and ability to
retain secure posture in the face of Cross-site scripting threats.
Server sends data that does X. Leave out how / why this occurs, it just
does.
 
B
 
 
 
 
 
 

 

________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Doyle, Bill
	Sent: Wednesday, June 27, 2007 6:46 AM
	To: Rachna Dhamija
	Cc: public-wsc-wg@w3.org
	Subject: RE: Public comments on threat trees
	
	
	Thanks - was wondering what was up.
	 
	Will take a look at it. Usually the MITRE infosec group does
not hold back much, depends on who gets a hold of it.
	 
	Bill 
	 


________________________________

		From: Rachna Dhamija [mailto:rachna.w3c@gmail.com] 
		Sent: Tuesday, June 26, 2007 8:52 PM
		To: Doyle, Bill
		Cc: public-wsc-wg@w3.org
		Subject: Re: Public comments on threat trees
		
		
		Bill, 
		
		There is currently no "owner" (Stuart S is
transitioning jobs, and I don't know if he is still participating in
the workgroup).   I've been adding attacks as I think of them and have
flattened it out to be more of an outline, rather than a "tree".  We
still need to add links to examples and to identify which branches are
in and out of scope.  
		
		I'm not sure that we'll ever be "done" with adding new
attacks, so this is a good time as any to get comments and find things
we have missed.  Perhaps you and Stephen F might like to make one pass
through it first. 
		
		http://www.w3.org/2006/WSC/wiki/ThreatTrees
		
		Rachna
		
		
		On 6/25/07, Doyle, Bill < wdoyle@mitre.org> wrote: 

			Are threat trees ready for public comments? If
so I will send the a wiki link out to MITRE infosec list. 
			 
			If threat tree owner can respond and provide
any intro and link it would be appreciated.
			 
			Regards
			Bill Doyle
			wdoyle@mitre.org

Received on Wednesday, 27 June 2007 16:59:28 UTC