none
Risk Rating/Ranking RRS feed

  • Question

  • Hi,

    Is there a plan to integrate risk rating or ranking in the SDL tool? 

    Thanks,
    Rey

    • Moved by Hengzhe Li Tuesday, June 21, 2011 12:15 PM Forum Consolidate (From:Microsoft Security Development Lifecycle (SDL) - Threat Modeling)
    Tuesday, April 7, 2009 10:45 PM

Answers

  • Hi Rey,

    It's a common question, and the answer stems from the frame in which the tool exists.  It's the *SDL* Threat Modeling Tool and is built to enable threat modeling within the Microsoft SDL http://msdn.microsoft.com/en-us/security/cc448177.aspx 

    The SDL has an overall risk approach around "bug bars," which is that certain threats have certain severities.  So we might add support for those bug bars within the tool.  We might also add some prioritization around what crosses a trust boundary versus more informational parts of the elements.

    We've found that things like DREAD aren't really helpful, so that's unlikely.

    That all said, what risk rating or ranking would you like?

    Wednesday, April 8, 2009 5:26 PM

All replies

  • Hi Rey,

    It's a common question, and the answer stems from the frame in which the tool exists.  It's the *SDL* Threat Modeling Tool and is built to enable threat modeling within the Microsoft SDL http://msdn.microsoft.com/en-us/security/cc448177.aspx 

    The SDL has an overall risk approach around "bug bars," which is that certain threats have certain severities.  So we might add support for those bug bars within the tool.  We might also add some prioritization around what crosses a trust boundary versus more informational parts of the elements.

    We've found that things like DREAD aren't really helpful, so that's unlikely.

    That all said, what risk rating or ranking would you like?

    Wednesday, April 8, 2009 5:26 PM
  • Hi Adam,

    I understand that DREAD is not really helpful for rating threats.  But I think it would still be nice to be able assign some risk rating such as High, Medium, and Low.  Also, maybe a numerical value assigned to those rating.  I understand this is not the direction you are heading but maybe making it an optional feature will be great. 

    I think this tool is very useful and simple to use but when you are required to create a report to management to communicate the risks in your application then the report feature of this tool is lacking.  But maybe this tool is not for those type of audience. 

    On a related topic,  What do you think about using CVSS for rating vulnerabilities in the STRIDE methodology?

    Thanks,
    Rey

    Friday, May 1, 2009 8:42 PM