Threat modeling systems and related methods including compensating controls
First Claim
1. A threat modeling method, comprising:
- in response to receiving one or more user inputs, using one or more interfaces displayed on one or more displays of one or more computing devices communicatively coupled with one or more databases;
storing a plurality of threat model components in the one or more databases;
storing a plurality of threats in the one or more databases;
associating each threat with at least one of the threat model components through the one or more databases;
storing a plurality of security requirements in the one or more databases, including storing an indication of whether each security requirement is a compensating control;
associating each compensating control with at least one of the threats through the one or more databases;
displaying a relational diagram of one of a system, an application, and a process, using visual representations of one or more of the threat model components, the relational diagram defining a threat model;
generating and displaying a threat report displaying each threat that is associated through the one or more databases with one of the threat model components included in the threat model; and
;
generating and displaying a report displaying each compensating control that is associated through the one or more databases with one of the threats included in the threat report.
1 Assignment
0 Petitions
Accused Products
Abstract
Threat modeling methods include, in response to receiving user input using computing device interfaces: storing threat model components, threats, and security requirements in a one or more database(s); associating each threat with a component; storing an indication of whether each security requirement is a compensating control; associating each compensating control with one of the threats; displaying a diagram of one of a system, an application, and a process, using visual representations of the components, the diagram defining a threat model, displaying a threat report displaying each threat associated with one of the components included in the threat model; and; displaying a report displaying each compensating control associated with one of the threats included in the threat report. Threat modeling systems include one or more computing devices coupled with one or more database(s) and having interfaces for storing, associating, displaying, and editing the components, threats, and security requirements in various ways.
36 Citations
20 Claims
-
1. A threat modeling method, comprising:
in response to receiving one or more user inputs, using one or more interfaces displayed on one or more displays of one or more computing devices communicatively coupled with one or more databases; storing a plurality of threat model components in the one or more databases; storing a plurality of threats in the one or more databases; associating each threat with at least one of the threat model components through the one or more databases; storing a plurality of security requirements in the one or more databases, including storing an indication of whether each security requirement is a compensating control; associating each compensating control with at least one of the threats through the one or more databases; displaying a relational diagram of one of a system, an application, and a process, using visual representations of one or more of the threat model components, the relational diagram defining a threat model; generating and displaying a threat report displaying each threat that is associated through the one or more databases with one of the threat model components included in the threat model; and
;generating and displaying a report displaying each compensating control that is associated through the one or more databases with one of the threats included in the threat report. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
10. A threat modeling system, comprising:
one or more computing devices communicatively coupled with one or more databases, the one or more computing devices displaying, on one or more displays of the one or more computing devices; one or more input interfaces configured to, in response to receiving one or more user inputs, store a plurality of user-defined threat model components in the one or more databases, store a plurality of threats in the one or more databases, associate each of the threats with at least one of the threat model components through the one or more databases, store a plurality of security requirements in the one or more databases including an indication for each security requirement indicating whether it comprises a compensating control, and associate each compensating control with at least one of the threats through the one or more databases; a diagram interface configured to, in response to receiving one or more user inputs, diagram one of a system, an application, and a process, using visual representations of the threat model components stored in the one or more databases, to define a threat model; a threat report interface including a threat report displaying each threat that is associated through the one or more databases with one of the threat model components included in the threat model; and
;a compensating control report displaying each compensating control that is associated through the one or more databases with one of the threats included in the threat report. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
20. A threat modeling system, comprising:
one or more computing devices communicatively coupled with one or more databases, the one or more computing devices displaying, on one or more displays of the one or more computing devices; one or more input interfaces configured to, in response to receiving one or more user inputs, store a plurality of user-defined threat model components in the one or more databases, store a plurality of threats in the one or more databases, associate each of the threats with at least one of the threat model components through the one or more databases, store a plurality of security requirements in the one or more databases including an indication for each security requirement indicating whether it comprises a compensating control, and associate each compensating control with at least one of the threats through the one or more databases; a diagram interface configured to, in response to receiving one or more user inputs, diagram one of a system, an application, and a process, using visual representations of the threat model components stored in the one or more databases, to define a threat model; a threat report interface including a threat report displaying each threat that is associated through the one or more databases with one of the threat model components included in the threat model; a compensating control report displaying; each compensating control that is associated through the one or more databases with one of the threats included in the threat report; the threat included in the threat report that is associated with that compensating control (mitigatable threat), and; a threat status for each mitigatable threat indicating whether it has been mitigated, and; a mitigations interface displaying all threats included in the threat report that are associated through the one or more databases with a selected compensating control, the mitigations interface identifying which of the displayed threats are mitigatable by the selected compensating control, the mitigations interface comprising one or more input fields configured to, in response to receiving one or more user inputs, change the threat status of all threats mitigatable by the selected compensating control to a mitigated status.
Specification