Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add MS Bug Bar model #623

Open
ahouseholder opened this issue Sep 24, 2024 · 0 comments
Open

Add MS Bug Bar model #623

ahouseholder opened this issue Sep 24, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@ahouseholder
Copy link
Contributor

Describe the solution you'd like

Microsoft has a Bug Bar model

The pages linked above are clear that

This sample document is for illustration purposes only. The content presented below outlines basic criteria to consider when creating security processes. It is not an exhaustive list of activities or criteria and should not be treated as such.

With that caveat, we might be able to do a tutorial / walkthrough of how someone could use SSVC to represent this model in their own environment.

The decision points would seem to align with the STRIDE model

  • Spoofing
  • Tampering
  • Repudiation
  • Information Disclosure
  • Denial of Service
  • Elevation of Privilege

and the example linked above includes a partial order over different values for these

The suggestion isn't to for SSVC to "endorse" Bug Bars, rather to acknowledge they exist and show how SSVC might be able to model them.

Describe alternatives you've considered

I originally started out thinking we could do this with the DREAD model but then I saw this post indicating that Bug Bars had replaced DREAD sometime before 2008, so maybe DREAD is too far out of sync to use as an example.

Then I looked at STRIDE, but by itself it suggests categories but not necessarily ordered sets within those categories (although if one squints at the EOP card game right, one might perceive the suited order as an ordering within each category, and the complete deck as a partial order over STRIDE. https://shostack.org/games/elevation-of-privilege

There may yet be promise in the card game approach.

But that led me to the Bug Bar docs above, that are basically demonstrating how to do that in practical applications.

@ahouseholder ahouseholder added the enhancement New feature or request label Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant