You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This sample document is for illustration purposes only. The content presented below outlines basic criteria to consider when creating security processes. It is not an exhaustive list of activities or criteria and should not be treated as such.
With that caveat, we might be able to do a tutorial / walkthrough of how someone could use SSVC to represent this model in their own environment.
The decision points would seem to align with the STRIDE model
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
and the example linked above includes a partial order over different values for these
The suggestion isn't to for SSVC to "endorse" Bug Bars, rather to acknowledge they exist and show how SSVC might be able to model them.
Describe alternatives you've considered
I originally started out thinking we could do this with the DREAD model but then I saw this post indicating that Bug Bars had replaced DREAD sometime before 2008, so maybe DREAD is too far out of sync to use as an example.
Then I looked at STRIDE, but by itself it suggests categories but not necessarily ordered sets within those categories (although if one squints at the EOP card game right, one might perceive the suited order as an ordering within each category, and the complete deck as a partial order over STRIDE. https://shostack.org/games/elevation-of-privilege
There may yet be promise in the card game approach.
But that led me to the Bug Bar docs above, that are basically demonstrating how to do that in practical applications.
The text was updated successfully, but these errors were encountered:
Describe the solution you'd like
Microsoft has a Bug Bar model
The pages linked above are clear that
With that caveat, we might be able to do a tutorial / walkthrough of how someone could use SSVC to represent this model in their own environment.
The decision points would seem to align with the STRIDE model
and the example linked above includes a partial order over different values for these
The suggestion isn't to for SSVC to "endorse" Bug Bars, rather to acknowledge they exist and show how SSVC might be able to model them.
Describe alternatives you've considered
I originally started out thinking we could do this with the DREAD model but then I saw this post indicating that Bug Bars had replaced DREAD sometime before 2008, so maybe DREAD is too far out of sync to use as an example.
Then I looked at STRIDE, but by itself it suggests categories but not necessarily ordered sets within those categories (although if one squints at the EOP card game right, one might perceive the suited order as an ordering within each category, and the complete deck as a partial order over STRIDE. https://shostack.org/games/elevation-of-privilege
There may yet be promise in the card game approach.
But that led me to the Bug Bar docs above, that are basically demonstrating how to do that in practical applications.
The text was updated successfully, but these errors were encountered: