Tuesday, October 16, 2007

Adam Shostack of Microsoft takes a critical look at threat modeling and changes to TM processes in a short series of posts on the MSDN Security Development Lifecycle (SDL) blog. It's a good read, especially when aligned with Larry Osterman's recent writings (which I mentioned recently) and those of others. If you're not a reader of the SDL blog and you're a security person or developer, I recommend it highly, by the way.

"In this first post of a series on threat modeling, I’m going to talk a lot about problems we had in the past. In the next posts, I’ll talk about what the process looks like today, and why we’ve made the changes we’ve made. I want to be really clear that I’m not critiquing the people who have been threat modeling, or their work. A lot of people have put a tremendous amount of work in, and gotten some good results. There are all sorts of issues that our customers will never experience because of that work. I am critiquing the processes, saying we can do better, in places we are doing better, and I intend to ensure we continue to do better."

Here's quick links to the blog articles by Adam. Those interested in secure development need to know and use a threat modeling process, and a critical view of said processes is important, so it's good to see this healthy example:

(also via Michael Howard's blog, which is a must-read security resource, too)



Add/Read: Comments [1]
IT Security | Tech
Tuesday, October 16, 2007 8:06:07 AM (Pacific Standard Time, UTC-08:00)
#  
Tuesday, October 16, 2007 10:41:05 AM (Pacific Standard Time, UTC-08:00)
Hi greg -

another Microsoft security blog that is just starting to get some posts going - hackers at Microsoft:

http://blogs.msdn.com/hackers/default.aspx -


may also be of interest ...

Best,

Matthew
Matthew Mors
Name
E-mail
Home page

Comment (Some html is allowed: b, blockquote@cite, em, i, strike, strong, sub, sup, u) where the @ means "attribute." For example, you can use <a href="" title=""> or <blockquote cite="Scott">.  

Enter the code shown (prevents robots):

Live Comment Preview