OWASP
Is this initiative still active?
Haven't seen updates since 2021. I've been looking for uses of ontology to derive threats from descriptions of infrastructure. This one at least derives them from DFDs, but in Threat Dragon format.
Jaxley, This tool was developed based on research made by Andrei Brazhuk https://scholar.google.com/citations?user=lxR8RLkAAAAJ&hl=pt-BR&oi=sra. No papers released after 2021.
I'm currently researching threat elicitation with recommender system support. A initial proof of concept tool called "Threat Copilot" has developed and published in https://github.com/yurix/threatcopilot
[]s
@Jaxley, @Yurix, nice to meet you.
We are still working on the project. And in 2021 and after it we made some contributions, in particular:
- we created Integrated model of ATT&CK, CAPEC, and CWE described in this preprint.
- recently, we researched a way of creating semantic models from Docker Compose configurations and analyse their security with ontologies, automatic reasoning, SPARQL etc, what seems to be so closed to what @Jaxley is looking for. Details are in the preprint.
If the interest still existed to our work, we could discuss in any form. my email is andrew. brazhuk (at) gmail. com
@Yurix, the Threat Copilot seems to be a promising project. Is there its description on English?
@nets4geeks, hi!
Recently i have published a paper about the tool:
Abstract. Secure software development processes aim to ensure that products can operate effectively even in the face of attacks. One relevant activity in a secure development lifecycle is identifying security flaws proactively through threat modeling. Various threat modeling methods have been proposed in both industry and academic research. Despite this, integrating this activity into de- velopment teams has not been straightforward. This paper introduces a tool named ”Threat Copilot”, which is a knowledge-based recommendation system. Its purpose is to identify threats by comparing them to pre-existing threat models within an organization. Preliminary results indicate that the tool can be useful in facilitating threat elicitation.