>_ AYSOLI SECURITY HUB

>_ help

Help & Methodology

How do STRIDE-LM, OWASP ASVS, and the threat-modeling Composer work? An overview of the methodology and frameworks behind these tools.

The Composer

Instead of a knowledge base to browse: you pick your project's assets/features (login, payments, API, ...), optionally the data categories it processes, and its hosting model — the Composer turns that into a deduplicated risk register in three clearly separated layers.

1. Selection

Assets/features, data categories (e.g. health, HR, financial data), and hosting model (on-premise/IaaS/SaaS).

2. STRIDE-LM risks

The relevant threats for each selected asset — deduplicated, no risk appears twice.

3. ASVS 5.0 requirements (code)

Concrete requirements per OWASP ASVS 5.0 — the same list doubles as a developer checklist and as pentest scope.

4. Compensating controls

CIS v8 / NIST CSF controls for infrastructure/operations (WAF, IAM, network segmentation) — defense in depth, not a substitute for clean code.

Open the Composer

STRIDE-LM

STRIDE is a model for identifying computer security threats. We use the extended STRIDE-LM variant to map modern cloud and network architectures.

Spoofing

Impersonating someone or something else

Tampering

Modifying data or code

Repudiation

Denying an action

Information Disclosure

Exposing sensitive information

Denial of Service

Crashing or slowing down a service

Elevation of Privilege

Gaining unauthorized access

Lateral Movement

Moving through a network

Monitoring Gaps

Gaps in visibility & logging

OWASP ASVS 5.0

The Application Security Verification Standard defines 345 code-level requirements, each phrased as "Verify that…", across 17 chapters (authentication, authorization, cryptography, ...) — staged cumulatively across three levels. In the Composer, the same list doubles as a developer checklist and as pentest scope.

Level 1 — Baseline
Level 2 — Standard
Level 3 — Advanced
Official website

CIS Controls

The Center for Internet Security (CIS) Controls are a prioritized set of actions that mitigate the most common attacks against systems and networks.

Official website

NIST CSF

The NIST Cybersecurity Framework provides guidance for organizational cybersecurity and risk management.

Official website

NIST AI RMF

The NIST AI Risk Management Framework (AI RMF 1.0, published 2023) is a standalone framework separate from the NIST CSF. It helps organizations identify, assess, and manage risks associated with AI systems — with a focus on trustworthiness, fairness, transparency, and safety.

Govern
Map
Measure
Manage
Official website

GDPR

Rather than the full 99-article catalog, we tag only the articles our technical controls actually reference — a complement to, not a replacement for, legal advice. Serves as shared vocabulary for Liechtenstein/Switzerland (DSG/DSV) too, since those closely mirror GDPR.

Art. 6, 7Art. 17Art. 25Art. 28Art. 32
Official website

Controls Library

The Controls Library contains all security controls on the platform, mapped to CIS v8, NIST CSF, NIST AI RMF, OWASP ASVS 5.0, and GDPR. Use the framework filter to view controls by standard — grouped by CIS control group (1–18), NIST CSF function (GV · ID · PR · DE · RS · RC), ASVS chapter, or GDPR article.

CIS v8NIST CSFNIST AI RMFOWASP ASVS 5.0GDPR
Open Controls Library

Security assessment methodology

The Security Assessment evaluates an organisation's security posture in two tiers. The Quick Check (~40 questions) gives an initial baseline across seven domains. The Deep Assessment then drills into open or partially implemented controls with targeted follow-up questions — up to 142 questions in total.

Quick Check

Fast first assessment, ~40 questions, score 0–100

Deep Assessment

Deep-dive on partial gaps, more detailed recommendations

N/A — Not applicable

Questions can be marked as not applicable and are excluded from scoring

Traffic-light scoring

Green ≥ 70 · Yellow 40–69 · Red < 40 — per domain and overall

Start assessment

TLP 2.0

The Traffic Light Protocol (TLP) is a standard defined by FIRST (Forum of Incident Response and Security Teams) to classify sensitive information. TLP defines who information may be shared with. Version 2.0 comprises five classification levels.

TLP:CLEAR

No restriction

Information can be distributed without restriction. Recipients may share this information freely, regardless of source or format.

TLP:GREEN

Community-wide sharing

Information is for the community at large. It may be shared within the community, but not publicly or outside of it.

TLP:AMBER

Limited disclosure

Information may be shared with members of the recipient's own organisation who need to know. It must not be shared outside the organisation.

TLP:AMBER+STRICT

Direct recipients only

Like TLP:AMBER but more restrictive: information may only be shared with the direct recipients — not further within the organisation.

TLP:RED

No disclosure

Information is not for disclosure. It is restricted to direct participants only — including in-person and verbal communications.

Official FIRST TLP standard