|

 
|
| | Name : | Matt Bishop | Organization : | University of California Davis | Post Date : | 9/30/2005 |
| Section : | 20.1.5 | Page no. : | | Line no.: | | Comment : | *Note: Comment referring to threat modeling section of author's document
Only vendors have sufficient information—a detailed model and a working system—to perform a good attack
tree analysis. The standards should force the vendor to do so: they should require vendors to produce elaborated
attack trees that contain no unmitigated paths since each path is either annotated with the countermeasures or prohibitively expensive. The standards can and should guide the vendor’s analysis by providing partially
expanded attack trees that contain known threats to election systems. The standards might require vendors to
use these partial trees as the starting point of their own vulnerability analysis. | |
|
|