+ Reply to Thread
Results 1 to 2 of 2
  1. Senior Member teancum144's Avatar
    Join Date
    Jun 2012
    Location
    Pacific Northwest, USA
    Posts
    227

    Certifications
    CISSP, CISA, CPA (inactive), Network+, Security+
    #1

    Default Threat modeling or baseline reporting to assess an application's security posture

    I ran across a question worded similarly to the following:

    For an application that has never had a security assessment, which of the following is the best assessment technique to identify the application's security posture:
    a) Baseline reporting
    b) Protocol analysis
    c) Threat modeling
    d) Functional testing

    I narrowed it down to "a" or "c". I understand baseline reporting, but was less clear on threat modeling.

    According to the Conklin/White book: threat modeling is a communication tool that details how the software can be attacked by an adversary, giving the entire design and development team a chance to see how their design and implementation could be attacked, so that vulnerabilities can be closed or mitigated.

    According to Darril Gibson's book: threat modeling is a process that helps an organization identify and predict threats against an application using likelihood and impact. Threat modeling can improve the security posture of any application.

    Based on the above, I selected "c", but the answer is "a". Thoughts?
    Reply With Quote Quote  

  2. Registered Member Darril's Avatar
    Join Date
    May 2009
    Location
    Virginia Beach, VA
    Posts
    1,569

    Certifications
    MCT, A+, Net+, Security+, CASP, SSCP, CISSP, MCSE, MCITP...
    #2
    It's difficult to get inside the head of a question writer's mind without an explanation from the writer. However, here's what I see.

    The goal is "to identify the application's security posture" which indicates it's current state. Baseline reporting documents normal system performance which would be its current state. Another hint is "never had a security assessment" indicating a baseline was never created.

    In contrast, threat modeling for an application would be done before the application is developed, at least in a perfect world. The goal is to identify potential threats so that they can be mitigated before the application is released.

    Hope this helps.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks