mike-goodwin/owasp-threat-dragon-core

principle behind severity?

Closed this issue · 4 comments

This is probably the wrong place to ask questions like this but I didn't find another place.

Severity can be rated in 3 levels. It looks very similar to TMT priority.
What exactly is the practical use of severity?
From a classical risk oriented approach a priority is similar to a resulting risk with different levels before and after mitigation. Before mitigation it helps to prioritize activities applying countermeasures.
Risk is defined as a product of impact and likelihood if you want to simplify. Impact in my opinion is simply characterized by sensitivity of the data processed in the data flow and broken SLA. Both are different (business) impacts to be referenced to the character of the STRIDE attack vector. The other dimension likelihood is just a guess how easy it is to materialize the threat.
If possible I try to setup likelihood and impact based on the companies risk definition and throw out the risk level as a result.
Using priority TMT had the "problem" that it was setup by guessing not having a basis with risk assessment. Therefore it produced no real value for me. I changed it to calculate risks in a spreadsheet instead of prioritizing within TMT.
It would be helpful to know what the reason is for implementing severity this way.

Yes, very good point @dschadt . When using TD within our company it is a very subjective evaluation, and can mean different things to different dev teams - so it is good to discuss what is meant by it and what it perhaps should be.

I have created a channel in the OWASP slack, #project-threat-dragon , which would be a good place to have these discussions. Did you want to join the channel and open the discussion?

I would be very proud if I can help and support the community.
I do have some more questions about the methodologies to be integrated in TD, e. g. STRIDE per element vs interaktion or better combine?
What do I have to do to join a channel?

Hello Dirk - it would be very good to have you in these discussions. You can join the OWASP slack at owasp.slack.com using your @owasp.org email address. When you are in then join various channels, such as #project-threat-dragon and #threat-modeling .
If you do not have an OWASP member email address, I think I can add you to a single channel as a guest ... although this will be the first time I have tried it :-) I will need your email address, can I use the one on your github profile?
Edited: I found out how to do this and the invite has been sent

Migrated to new issue in the OWASP area repo : https://github.com/OWASP/threat-dragon-core/issues/7