Corporate Threat Modeller
Threat modelling techniques - though proven useful in many security analyses -have not been adequately scalable to identify all threats to an entireenterprise. In this talk, at CSI NetSec 07 we introduce a methodology forbuilding a threat model across the entire enterprise. The idea we came up with is very simple actually. Take the basic principles and concepts used in application Threat Modelling, simplify a whole lot, stretch a little, sprinkle with some basic algebra, wrap it in a GUI and you have a powerful tool for analysing the threats your organisation faces.
The slides outline the thinking behind the approach and version 2.0 of the tool has been released. Source code is available on request.
Update 2010: The tool has been updated with some of our latest thinking, and the slides from a recent workshop on threat modeling are available for download: