Are you familiar with any threat models that include the identification of either CWE weaknesses or CVE vulnerabilities with respect to specific system constituents?
Hi @avish here is something which might be relevant:
https://center-for-threat-informed-defense.github.io/mappings-explorer/external/cve/
1 Like
While I understand the importance of identifying CWE weaknesses and CVE vulnerabilities, I believe that threat modeling typically focuses on brainstorming and analyzing system diagrams to identify potential threats and attack vectors. This process is more about understanding the system’s architecture and identifying where threats might occur, rather than pinpointing specific weaknesses or vulnerabilities. For the latter, vulnerability management practices are more appropriate as they are specifically designed to identify, assess, and mitigate known vulnerabilities.
Additionally, for a more technical and in-depth analysis of threats, frameworks like the OWASP Top 10 and MITRE ATT&CK can be very useful. These resources are invaluable for understanding and defending against sophisticated cyber threats.
1 Like
Thank you Qasim.
I was looking for more concrete threat models, meaning ones that analyse specific systems.
But since you provided the link, may I ask what is the added value of this project when compared with the NVD knowledge base (for example)? Is it simply associating CVEs with ATT&CK techniques? (in NVD, there is no such association).
I completely understand this viewpoint.
However, I think that one of the ways to properly identify/communicate potential threats and mitigation is based on the vulnerabilities (specifically, class of vulnerabilities as in CWE) that can be exploited in a system.
Yes correct, association provides the vulnerability context to attacks.
It would be helpful if you could share a bit more detail about the problem statement/challenge or requirement you’re having.
I’m trying to find case studies for the research I’m doing.
Basically, we’re expanding the TRADES Threat/Security modelling platform with vulnerability management capabilities. The basics are explained in this article:
I’m interested in translating existing threat models (with vulnerabilities or without!) into our new models and show the value of that (including in automated reasoning). I was hoping for some real threat models or even SBOM. If anyone can offer theirs, please contact me.
Hi Avish,
if SBOM is interesting for you, you could try generating one for the OWASP WebGoat project. Findings are guaranteed 
I would also search for tutorial code on more complexed use cases: something like google example service discovery with say spring boot based stack. It will include 3-4 services including a DB. You don’t need to go through setting it up to generate the SBOMs for those…if I understand correctly close to realistic data would be enough you don’t necessarily need a model of a working system’s model and SBOM generation is imho easier then getting access to TMs. The problem is they are sensitive by nature…
Thanks!
I know they are “sensitive by nature” - that’s why I’m struggling 
Thanks for the WebGoat tip. I did not know it and will look into it.
I was actually thinking of generating SBOMs myself, for prominent open source projects, and then to try to generate threat models based on the SBOM. Any suggestions for leading candidates (open source projects that are interested in terms of SBOM and in terms of potential impact of vulnerabilities)?
Hi,
very interesting paper! Might I ask what approach do take for reasoning? Is it by chance something based on formal argumentation / argumentation graphs?
As per the list:
Linux Foundation has a sub-foundation Open Source Security Foundation, which has a working group for “Securing Critical Open Source Projects”. They have derived their own take on what is critical, leading the page below with the reasoning behind the assesment for criticality in the first place.
It seems to me, it is something of potential interest for you:
- open-source, so you can generate SBOMs
- very diverse including:
cmd apps like CURL
various libraries like libpng or jackson-core
and more complex applications & middleware (Eclipse, Jenkins, MariaDB, MySQL, llvm)
or surprise … Linux
On a second thought as these are open-source projects and this ist the working group aiming to securing them, they might have threat models too…I would reach out to them or the respective project directly to double-check.
Kr.: Daniel
Hi,
Daniel, thanks for the kind words and suggestions.
Yes, the approach we implemented is based on formal logic. Specifically, we use first order logic. It’s quite simple, yet, I believe, effective.
The paper I previously mentioned shows the implementation of the first order logic reasoning, and we have another implementation of the same logic in Prolog (but using TRADES has the advantage of getting vulnerabilities and weaknesses from NVD and MITRE).
If it is of any interest, I would be happy to introduce the logic and help in any implementation.
Hi Avish,
I will dive into the paper in more detail over the weekend and probably get back to you with a couple of questions. I am planning to create a little tool based on predicate logic myself since a while now, it would be nice to exchange ideas. I will pm you, when I am done with the paper.
Kr
Please do. I would be happy to discuss it further, and even show you the formalism.
BTW, the final version of the paper was just published today: Modelling Tool Extension for Vulnerability Management | Proceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems