Training Session Video
This model will help prioritise vulnerabilities discovered in your applications. Generating some threat personas Collaborative discussion around how to improve the model
After the session, the organisers will decide on any changes needed on the model and create a survey for attendees to get everyone’s opinions on relative weightings in the model. Once that’s collected they plan to write up and publish the model in github under an open license. Pretty cool, heh?
This session had three objectives:
- Borrow UX concept of personas for a structured and reusable way to consider and discuss threats
- Create some Threat Personas!
- Explore a fast, developer-friendly way to use them and prioritise vulnerabilities
The outcomes from this session are:
- An example set of Threat Personas created by participants that teams can use and build on in their own organisations
- A proposed Application Vulnerability Scoring Framework for rapidly prioritising application vulnerabilities in a developer-friendly way
These are being made available under open-source licences and contributions are very welcome! You can find the content in the following GitHub repositories:
Synopsis and Takeaways
Threat personas provide a way to establish a common understanding and language between infosec, technology and business teams. Their narrative-driven approach paints a rich picture that is easy for anyone to understand. They fit between high-level labels (like cyber-criminal) and specific threat actor groups (like Tangerine Flamingo).
App vuln scoring builds on the concept of threat personas and provides a structured, developer-friendly way to prioritise application vulnerabilities.
- The numbers produced in the app vuln scoring model seem unexpected low, can these be tweaked?
- Can this be combined with other gamification efforts in other OWASP projects?
- Can we add consequence characteristics to the app vuln scoring model?
- OSS2020 session page: [Threat Personas and Application Vulnerability Scoring Model] (https://open-security-summit.org/tracks/ciso-and-risk-management/user-sessions/threat-personas-and-application-vulnerability-management/)
- Slides from the session (PDF)
- View the session replay
GitHub repo: Threat Personas
GitHub repo: App Vuln Prioritisation Framework
Back to list of all User Sessions