>_ help
Help & Methodology
How do STRIDE-LM, OWASP ASVS, and the threat-modeling Composer work? An overview of the methodology and frameworks behind these tools.
The Composer
Instead of a knowledge base to browse: you pick your project's assets/features (login, payments, API, ...), optionally the data categories it processes, and its hosting model — the Composer turns that into a deduplicated risk register in three clearly separated layers.
1. Selection
Assets/features, data categories (e.g. health, HR, financial data), and hosting model (on-premise/IaaS/SaaS).
2. STRIDE-LM risks
The relevant threats for each selected asset — deduplicated, no risk appears twice.
3. ASVS 5.0 requirements (code)
Concrete requirements per OWASP ASVS 5.0 — the same list doubles as a developer checklist and as pentest scope.
4. Compensating controls
CIS v8 / NIST CSF controls for infrastructure/operations (WAF, IAM, network segmentation) — defense in depth, not a substitute for clean code.
STRIDE-LM
STRIDE is a model for identifying computer security threats. We use the extended STRIDE-LM variant to map modern cloud and network architectures.
Spoofing
Impersonating someone or something else
Tampering
Modifying data or code
Repudiation
Denying an action
Information Disclosure
Exposing sensitive information
Denial of Service
Crashing or slowing down a service
Elevation of Privilege
Gaining unauthorized access
Lateral Movement
Moving through a network
Monitoring Gaps
Gaps in visibility & logging
OWASP ASVS 5.0
The Application Security Verification Standard defines 345 code-level requirements, each phrased as "Verify that…", across 17 chapters (authentication, authorization, cryptography, ...) — staged cumulatively across three levels. In the Composer, the same list doubles as a developer checklist and as pentest scope.
CIS Controls
The Center for Internet Security (CIS) Controls are a prioritized set of actions that mitigate the most common attacks against systems and networks.
Official website →NIST CSF
The NIST Cybersecurity Framework provides guidance for organizational cybersecurity and risk management.
Official website →NIST AI RMF
The NIST AI Risk Management Framework (AI RMF 1.0, published 2023) is a standalone framework separate from the NIST CSF. It helps organizations identify, assess, and manage risks associated with AI systems — with a focus on trustworthiness, fairness, transparency, and safety.
GDPR
Rather than the full 99-article catalog, we tag only the articles our technical controls actually reference — a complement to, not a replacement for, legal advice. Serves as shared vocabulary for Liechtenstein/Switzerland (DSG/DSV) too, since those closely mirror GDPR.
Controls Library
The Controls Library contains all security controls on the platform, mapped to CIS v8, NIST CSF, NIST AI RMF, OWASP ASVS 5.0, and GDPR. Use the framework filter to view controls by standard — grouped by CIS control group (1–18), NIST CSF function (GV · ID · PR · DE · RS · RC), ASVS chapter, or GDPR article.
Security assessment methodology
The Security Assessment evaluates an organisation's security posture in two tiers. The Quick Check (~40 questions) gives an initial baseline across seven domains. The Deep Assessment then drills into open or partially implemented controls with targeted follow-up questions — up to 142 questions in total.
Quick Check
Fast first assessment, ~40 questions, score 0–100
Deep Assessment
Deep-dive on partial gaps, more detailed recommendations
N/A — Not applicable
Questions can be marked as not applicable and are excluded from scoring
Traffic-light scoring
Green ≥ 70 · Yellow 40–69 · Red < 40 — per domain and overall
TLP 2.0
The Traffic Light Protocol (TLP) is a standard defined by FIRST (Forum of Incident Response and Security Teams) to classify sensitive information. TLP defines who information may be shared with. Version 2.0 comprises five classification levels.
No restriction
Information can be distributed without restriction. Recipients may share this information freely, regardless of source or format.
Community-wide sharing
Information is for the community at large. It may be shared within the community, but not publicly or outside of it.
Limited disclosure
Information may be shared with members of the recipient's own organisation who need to know. It must not be shared outside the organisation.
Direct recipients only
Like TLP:AMBER but more restrictive: information may only be shared with the direct recipients — not further within the organisation.
No disclosure
Information is not for disclosure. It is restricted to direct participants only — including in-person and verbal communications.