> The Application Security Attack Components project is an attempt to break
> down all the possible attacks into their most discrete components. If you
> cant break an attack down further then we are there. I think the example at
> www.owasp.org/projects/asac/ is a really good example, although the UML
> sucks ! When we have done this we can build sets of attack trees using these
> attack objects that are the possible and known real world attacks. An

Yes. I was wondering if that was the next step--somehow linking together
these discrete comoponents into something more structured based on a high
level goal and that considered attack prerequisites and outcomes.

Are there any tools under development (or already out there) for building,
browsing, expanding/collapsing, analyzing attack trees--and that could tie
into the attack components y'all are developing?

I've run across a few commercial tools for building/analyzing decision
trees that are only marginally useful for doing attack modeling.

-mdf

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]