The CPSSA module delegates its functions to existing open-source software solutions for Threat Analysis and Risk Assessment (TARA). These include OpenTRICK for a comprehensive risk management tool, assisting in assessing risk and planning actions according to ISO/IEC 27005, threagile for DevSecOps oriented threat modelling (TM) and security risk assessment (SRA), ADTool for attack tree modelling and analysis, OWASP Threat Dragon for GUI-based TM and Capella Darc Viewpoint for more advanced and detailed TM using Capella for model-based systems engineering, following the ARCADIA method.
For more information, we refer the reader to our CPSSA report, published as part of the knowledge base elements of C5-DEC; see the README section on the C5-DEC knowledge base (KB) reports to learn about gaining access to these. In our CPSSA report, in addition to providing a literature review, we describe our threat modelling and security risk assessment method adapted to the Common Criteria, while building on best practices and well-established methods such as the hybrid method developed by the software engineering institute (SEI) of Carnegie Mellon University (CMU).
For agile development, we recommend the use of threagile, while for more comprehensive risk management according to ISO/IEC 27005 with a detailed quantitative risk assessment approach following the ROSI method, we recommend TRICK Service, enabled by the open-source OpenTRICK software, also further improved and released as open-source software in project CyFORT.