From: Eleanor S. <el...@dy...> - 2011-05-04 17:18:19
|
Going from the latest version on octotrike.org, here's some stuff that we need more help around: Entire spreadsheet: o What actions will break the spreadsheet? o What are the applicability columns for? Actor tab: o What do "favored user", "authenticated", "attacker", and (especially) "uses system", "used by system", "shared", and "shared resources" imply? o What are the privileges columns for and how do they work? Data Model tab: o What do "shared" and "transient" mean? Intended Actions tab: o Where do we specify the rules for "conditional"? Connections tab: o What does "shared" mean? o Do the from/to/OSI layer/traverses/protocol columns matter? For what? * The to and from targets are misformatted/whited out Protocols tab: o What is this tab for? Threats tab: * Can we have an "nonsenical" marking, instead of just ignoring it in the security objectives? o What do the different severity levels affect? Security Objectives tab: o What should populate the "prohibited threats" and "initial configuration" columns? Use Case Details: o What goes in the "choice", "terminal", "variation", and "attacker influenced", columns? This is a combination of things that I don't understand at the moment and questions which I think someone else would have. I'm assuming here that someone gets the basics of what an actor, asset, etc., is, which obviously isn't true in general, but that's a different level of docs. I know some of the above are for things which aren't hooked up yet, which is fine, but we should have a list somewhere in the help of which bits of data aren't hooked up/fully factored. Also, we should put a spreadsheet version number in the System Overview tab, so we can tell if we're using a current revision of the spreadsheet/what problems a spreadsheet is likely to have, and probably start keeping a changelog, possibly also in the help. E. -- Ideas are my favorite toys. |