Threat Personas and Application Vulnerability Scoring Model

When (day):
11:00 - 13:00
Zoom link will be available very soon

Training Session Video

Session Slides

This model will help prioritise vulnerabilities discovered in your applications. Generating some threat personas Collaborative discussion around how to improve the model

After the session, the organisers will decide on any changes needed on the model and create a survey for attendees to get everyone’s opinions on relative weightings in the model. Once that’s collected they plan to write up and publish the model in github under an open license. Pretty cool, heh?


This session had three objectives:

  1. Borrow UX concept of personas for a structured and reusable way to consider and discuss threats
  2. Create some Threat Personas!
  3. Explore a fast, developer-friendly way to use them and prioritise vulnerabilities


The outcomes from this session are:

  • An example set of Threat Personas created by participants that teams can use and build on in their own organisations
  • A proposed Application Vulnerability Scoring Framework for rapidly prioritising application vulnerabilities in a developer-friendly way

These are being made available under open-source licences and contributions are very welcome! You can find the content in the following GitHub repositories:

Synopsis and Takeaways

Threat personas provide a way to establish a common understanding and language between infosec, technology and business teams. Their narrative-driven approach paints a rich picture that is easy for anyone to understand. They fit between high-level labels (like cyber-criminal) and specific threat actor groups (like Tangerine Flamingo).

App vuln scoring builds on the concept of threat personas and provides a structured, developer-friendly way to prioritise application vulnerabilities.

Identified Questions

  1. The numbers produced in the app vuln scoring model seem unexpected low, can these be tweaked?
  2. Can this be combined with other gamification efforts in other OWASP projects?
  3. Can we add consequence characteristics to the app vuln scoring model?


Working materials

Additional/External References

Back to list of all User Sessions