Threat Analysis Todo

Needed

  1. page saying what TAs have been done, and haven’t.

  2. Etherpad template for review tracking

  3. process

  4. Improve documentation around context for OpenStack deployments, namely that they reflect best practice, and the documentation should explain what to do when things can be changed.

  5. Add information on filling in interfaces table from diagram.

  6. Remove U-C, O-C, I-C guidance

  7. Add guidance that explains the importance of paying special attention to interfaces that cross trust boundaries

  8. Reviewer to build sequence diagrams in real time during the review

  9. Document how we assess a third party review to be in line with our key security assertions. I think perhaps we need a mapping table or something.

  10. Should we prioritise assets.

  11. Data assets should be listed in the architecture page before the review.

  12. Figure out how to protect etherpad contents while retaining ability to share and collaboratively edit it.

  13. Add ‘review CIA for data assets to process’

  14. change ‘review CIA for each interface’ to ‘ ‘review CIA for each interface that crosses a security domain or each interface that doesn’t use TLS’

  15. Best practice for each type of asset connection

  16. Document what a trust boundary is

  17. Document what an asset is. Config file? elements within a config file?

  18. Document what level of detail we want for external dependencies and give examples.