Referências
===========

Modelagem de ameaças
--------------------

O simples fato de ser listada como *referência* não significa que seja endossada.

* `DREAD <https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)>`_: criado pela Microsoft e descontinuado em 2008, é também um sistema de modelagem de ameaça e um mnemônico. Ele é dividido em cinco categorias: Damage, Reproducibility, Exploitability, Affected users e Discoverability (DREAD).
* `STRIDE <http://msdn.microsoft.com/en-us/magazine/cc163519.aspx>`_: sucessor do DREAD, framework criado pela Microsoft voltado para a elaboração de modelos de ameaças para softwares. O sistema é dividido em seis categorias de ameaças: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of service e Elevation of privilege.
* `TRIKE <http://octotrike.org/>`_ (`resumo <https://wiki.openitp.org/cts:4:ella_threat_modelling>`_): criada em 2006, é uma metodologia de modelagem open source. Utiliza apenas duas categorias de ameaça: Elevação de Privilégio ou Negação de Serviço. A versão mais recente (2.0), baseada em palestras, não está disponível.
* `MISP - Malware Information Sharing Platform & Threat Sharing <https://github.com/MISP/MISP>`_.
* `Security risk levels defined | Drupal.org <https://www.drupal.org/security-team/risk-levels>`_.
* `OCRG1.1:Application Threat Modeling - OWASP <https://www.owasp.org/index.php/OCRG1.1:Application_Threat_Modeling>`_.
* `Wikpedia - SWOT Analysis <https://en.wikipedia.org/wiki/SWOT_analysis>`_.
* `OpenIntegrity <https://openintegrity.org>`_.
* `EFF SSD - Introduction to Threat Modeling <https://ssd.eff.org/en/module/introduction-threat-modeling>`_.
* `Threat Assessment & Remediation Analysis (TARA) <https://www.mitre.org/sites/default/files/pdf/11_4982.pdf>`_.
* `Seasponge <https://mozilla.github.io/seasponge>`_ (`código <https://github.com/mozilla/seasponge>`_, `sobre <https://threatpost.com/students-build-open-source-web-based-threat-modeling-tool/111959>`_).
* `SAFETAG - Security Auditing Framework and Evaluation Template for Advocacy Groups <https://safetag.org>`_.
* `ISO/IEC 27000 (ISO27K) <https://en.wikipedia.org/wiki/ISO/IEC_27000-series>`_: padrão ISO/IEC para segurança da informação.
* `X.1051 : Information technology - Security techniques - Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations <https://www.itu.int/rec/T-REC-X.1051>`_
    * `ITU-T Rec. Series X Supplement 13 (09/2018) ITU-T X.1051 - Supplement on information security management users' guide <https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.Sup13-201809-I!!PDF-E&type=items>`_

Exemplos de modelos de ameaça
-----------------------------

Alguns exemplos de documentos de modelo de ameaça para software:

* `The Design and Implementation of The Tor Browser <https://www.torproject.org/projects/torbrowser/design/>`_.
* `Tor design <https://svn.torproject.org/svn/projects/design-paper/tor-design.html#subsec:threat-model>`_.
* `Mailpile <https://github.com/mailpile/Mailpile/wiki/Threat-model>`_.
* `Protonmail <https://blog.protonmail.ch/protonmail-threat-model/>`_.
* `Tails <https://tails.boum.org/contribute/design/#index2h2>`_.
* `I2P <https://geti2p.net/en/docs/how/threat-model>`_.
* `Freenet <https://wiki.freenetproject.org/Threat_model>`_.
* `Cryptocat <https://github.com/cryptocat/cryptocat/wiki/Threat-Model>`_.
* `Pond <https://pond.imperialviolet.org/threat.html>`_.
* `TextSecure <https://github.com/WhisperSystems/TextSecure/issues/782>`_.

Políticas de segurança
----------------------

Algumas referências e modelos de política de segurança:

* `Organizational Security Policy | Access Now Digital Security Helpline Public Documentation <https://communitydocs.accessnow.org/370-Organizational_Security_Policy.html>`_.
* `Frontline Policies <https://frontlinepolicies.openbriefing.org/home>`_.
* `Method: Organizational Policy Review | Safetag <https://safetag.org/methods/organizational_policies>`_.
* `Information Security Policy Templates | SANS Institute <https://www.sans.org/information-security-policy/>`_.
* `SDA - Safe and Documented for Activism <https://sdamanual.org/>`_.
* `lfit/itpol: Useful IT policies <https://github.com/lfit/itpol/>`_.
* `tailscale/policies: Security policies for Tailscale <https://github.com/tailscale/policies>`_.
* `Cybersecurity Assessment Tool / Ford Foundation <https://www.fordfoundation.org/work/our-grants/building-institutions-and-networks/cybersecurity-assessment-tool/>`_.
* `SecurityManagement - Debian Wiki <https://wiki.debian.org/SecurityManagement>`_.
* `OpenSSL Security Policy <https://www.openssl.org/policies/general/security-policy.html>`_.
* `Providers' Commitment for Privacy <https://policy.fluxo.info/policy/>`_.
* `Risk analysis for Security Trainings - Tor Project <https://community.torproject.org/training/risks/>`_.
* `Traffic Light Protocol (TLP) <https://www.first.org/tlp/>`_ (`versão CISA <https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage>`_, `artigo na Wikipedia <https://en.wikipedia.org/wiki/Traffic_Light_Protocol>`_).
* `Chatham House Rule <https://en.wikipedia.org/wiki/Chatham_House_Rule>`_.
* `OWASP Cheat Sheet Series <https://cheatsheetseries.owasp.org>`_.