I think one of the big problems with every methodology, and every attempt to come up with a unified vulnerability or threat ontology, is that a security problem can also be “whatever the user doesn’t like.” These types of things always run into problems caused by the mixing of syntactic and semantic threats, without attempting to distinguish between the two.
Then every threat library derived from these doomed ontologies end up either over complex or insufficiently complex to represent the problem set. At least that’s my take. I could be wrong.
Adding in the VSM actually makes things a lot easier, because all your threats will align through viability. So then a threat can be more formally defined as “Any behavior systemic of the system under test that threatens the viability of the parent system, given that the behavior can be intentionally invoked.”
The VSM also just happens to be a threat model, though it never seems to be described as such.
I think one of the big problems with every methodology, and every attempt to come up with a unified vulnerability or threat ontology, is that a security problem can also be “whatever the user doesn’t like.” These types of things always run into problems caused by the mixing of syntactic and semantic threats, without attempting to distinguish between the two.
Then every threat library derived from these doomed ontologies end up either over complex or insufficiently complex to represent the problem set. At least that’s my take. I could be wrong.
Adding in the VSM actually makes things a lot easier, because all your threats will align through viability. So then a threat can be more formally defined as “Any behavior systemic of the system under test that threatens the viability of the parent system, given that the behavior can be intentionally invoked.”
The VSM also just happens to be a threat model, though it never seems to be described as such.