![]() Is 'threat modelling' as a process considered to be one which views threats from a low level only, and one aimed at developers? Because this is the understanding I get from seeing how these tools work. These kinds of threats do not seem to be represented in any tools that I can find, and nor are those threats which come from sources other than attackers. ![]() This kind of threat is also not 'low level', such as the ones identified in the tools mentioned, but more medium level. On systems threats are not just from attackers, threats on the cloud can include location or service based threats (eg, laws may require certain kinds of data to be kept within certain jurisdictions, an alternative security problem but an issue nonetheless). From looking at threat modelling tools which are available (Microsoft SDL for Threat Modelling is probably the prime example) they seem to consider only threats at a low level, and I get the feeling that they are aimed primarily at developers.
0 Comments
Leave a Reply. |