You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There have been several discussions with the threat modeling community, from users and open source and commercial vendors, to add support for natively representing threat models in CycloneDX.
Currently, threat models can be represented via an external reference and the threat model can either point to a URL and be inline via a data component. This allows capturing everything from OTM and MS TMT output.
There has recently been a desire by tool vendors to use OTM as a potential short-term solution and leverage CycloneDX as a long term solution. This would allow, for example, a native threat model to be represented in CycloneDX which would describe any component or service such as an application, AI model, or web service.
BOM-Link would be used to point the existing threat-model external reference to the threat model, either in the same BOM or in a dedicated TM-BOM.
This ticket is to track the proposed enhancement to the core specification that would add:
Threats
Weaknesses
DFDs
Attack trees with monetary values
Methodology agnostic - support for STRIDE, PASTA, LINDDUN, etc
Support for security, privacy, safety, and process threat modeling
The text was updated successfully, but these errors were encountered:
More generally, I think that a threat model may not be the thing you want to track in a BOM. I think what I want as a consumer is not the analysis (threat modeling as a verb) or the results (threat modeling as a noun), but the things that I, as a consumer care about: the accepted/transferred/residual dangers associated with the thing. I think that includes some elements like:
Network connections (listening ports, outbound connections, the latter IETF MUD is interesting)
Files accessed (inside my area, system files, possibly tainted opened; read/write opens or permissions needed)
There have been several discussions with the threat modeling community, from users and open source and commercial vendors, to add support for natively representing threat models in CycloneDX.
Currently, threat models can be represented via an external reference and the threat model can either point to a URL and be inline via a data component. This allows capturing everything from OTM and MS TMT output.
There has recently been a desire by tool vendors to use OTM as a potential short-term solution and leverage CycloneDX as a long term solution. This would allow, for example, a native threat model to be represented in CycloneDX which would describe any component or service such as an application, AI model, or web service.
BOM-Link would be used to point the existing
threat-model
external reference to the threat model, either in the same BOM or in a dedicated TM-BOM.This ticket is to track the proposed enhancement to the core specification that would add:
The text was updated successfully, but these errors were encountered: