You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: document/1.0/04-TASVS-ARCH.md
+8-8Lines changed: 8 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ Architecture and threat modeling are inextricably linked. Threat modeling inform
11
11
| ---- | ------------- | - | - | - |
12
12
| TASVS-ARCH-1 | Threat Modeling ||||
13
13
| TASVS-ARCH-1.1 | Completed a low fidelity threat model for thick client. | X | X | X |
14
-
| TASVS-ARCH-1.2 | Completed a high fidelity threat model for thick client which is in currently in production. || X | X |
14
+
| TASVS-ARCH-1.2 | Completed a high fidelity threat model for thick client which is currently in production.|| X | X |
15
15
| TASVS-ARCH-1.3 | Threat model includes server-side components and dependencies (cloud APIs, OIDC provider, file storage, etc.). || X | X |
16
16
| TASVS-ARCH-1.4 | Threat modeling process included all phases (system modeling, auto-threat identification, manual threat identification, threat mitigation). || X | X |
17
17
| TASVS-ARCH-1.5 | Threat model checked-in to source code repository. | X | X | X |
That's it! Later, continue to elaborate the model and raise fidelity score. Remember the system model is a means to an end - identifying threats.
37
37
38
-
### TASVS-ARCH-1.2 - Completed a high fidelity threat model for thick client which is in currently in production.
38
+
### TASVS-ARCH-1.2 - Completed a high fidelity threat model for thick client which is currently in production.
39
39
40
-
"high fidelity" threat modeling is a more detailed and comprehensive approach to threat modeling. It includes all the elements of a low-fidelity model but adds more detail and context to the model. This includes:
40
+
"High fidelity" threat modeling is a more detailed and comprehensive approach to threat modeling which maximizes threat identification. High fidelity is appropriate for a production product where all aspects of the system are well-understood. It includes all the elements of a lowfidelity model but adds additional detail and context to the model. This includes:
41
41
42
-
-Detailed data flow diagrams
43
-
-Detailed trust boundaries
44
-
-Detailed threat identification
42
+
-Define data assets processed and stored on technical assets
43
+
-Define data assets flowing on communication links
44
+
-Optional attributes defined on data assets and technical assets
45
45
46
46
### TASVS-ARCH-1.3 - Threat model includes server-side components and dependencies (cloud APIs, OIDC provider, file storage, etc.).
47
47
@@ -58,7 +58,7 @@ The threat model should be checked into the source code repository to ensure tha
58
58
59
59
### TASVS-ARCH-1.6 - Threat model updated regularly as part of a documented process within development team's SSDLC.
60
60
61
-
The threat model should be updated regularly as part of a documented process within the development team's SSDLC. This ensures that the threat model remains current and relevant as the thick client evolves and new threats emerge. Regular updates to the threat model help to ensure that the thick client remains secure and resilient to potential threats.
61
+
The threat model should be updated regularly as part of a documented process within the development team's secure software development lifecycle (SSDLC). This ensures that the threat model remains current and relevant as the thick client evolves and new threats emerge. Regular updates to the threat model help to ensure that the thick client design remains secure and resilient to potential threats.
0 commit comments