Threat Personas and Application Vulnerability Scoring Model

When (day):

Mon

At:

11:00 - 13:00

Track:

CISO and Risk Management

Topics:

Watch

Zoom link will be available very soon

Register:

Add this session to my schedule

Robin Oldham

Phil Huggins

Training Session Video

Session Slides

This model will help prioritise vulnerabilities discovered in your applications. Generating some threat personas Collaborative discussion around how to improve the model

After the session, the organisers will decide on any changes needed on the model and create a survey for attendees to get everyone’s opinions on relative weightings in the model. Once that’s collected they plan to write up and publish the model in github under an open license. Pretty cool, heh?

Objectives

This session had three objectives:

1. Borrow UX concept of personas for a structured and reusable way to consider and discuss threats
2. Create some Threat Personas!
3. Explore a fast, developer-friendly way to use them and prioritise vulnerabilities

Outcomes

The outcomes from this session are:

• An example set of Threat Personas created by participants that teams can use and build on in their own organisations
• A proposed Application Vulnerability Scoring Framework for rapidly prioritising application vulnerabilities in a developer-friendly way

These are being made available under open-source licences and contributions are very welcome! You can find the content in the following GitHub repositories:

• Threat Personas
• App Vuln Prioritisation Framework

Synopsis and Takeaways

Threat personas provide a way to establish a common understanding and language between infosec, technology and business teams. Their narrative-driven approach paints a rich picture that is easy for anyone to understand. They fit between high-level labels (like cyber-criminal) and specific threat actor groups (like Tangerine Flamingo).

App vuln scoring builds on the concept of threat personas and provides a structured, developer-friendly way to prioritise application vulnerabilities.

Identified Questions

1. The numbers produced in the app vuln scoring model seem unexpected low, can these be tweaked?
2. Can this be combined with other gamification efforts in other OWASP projects?
3. Can we add consequence characteristics to the app vuln scoring model?

References

• OSS2020 session page: [Threat Personas and Application Vulnerability Scoring Model] (https://open-security-summit.org/tracks/ciso-and-risk-management/user-sessions/threat-personas-and-application-vulnerability-management/)
• Slides from the session (PDF)
• View the session replay

Working materials

• OSS2020 Threat Persona

• Spreadhseet implementation of App Vuln Scoring XLS ODS

• GitHub repo: Threat Personas

• GitHub repo: App Vuln Prioritisation Framework

Additional/External References

• Intel Threat Actor Library