The Problem
I'm sure I'm not the only one who has found Freemind to be a useful tool when building threat models, however it far from perfect.
So my thoughts are to identify and implement changes/enhancements/improvements to Freemind that would be it more useful in representing:
- System Data - how do we store the essential characteristics of the system under evaluation in some structured yet easy to edit and view from multiple perspectives and levels of abstraction?
- Threat/Vulnerability/Countermeasure Data - how can we add threat agents, outcomes, techniques, known/potential vulnerabilities, and countermeasures into the mind map
Automated analysis and reporting is a harder problem that I suggest we ignore until we solve the representation issue.
Examples
Here are some examples of what I'm talking about. I'll be adding more as I get them.
Browser Attack Tree
Links
Last updated 11/25/05