Tuesday, 16 October 2007

Adam Shostack of Microsoft takes a critical look at threat modeling and changes to TM processes in a short series of posts on the MSDN Security Development Lifecycle (SDL) blog. It's a good read, especially when aligned with Larry Osterman's recent writings (which I mentioned recently) and those of others. If you're not a reader of the SDL blog and you're a security person or developer, I recommend it highly, by the way.

"In this first post of a series on threat modeling, I’m going to talk a lot about problems we had in the past. In the next posts, I’ll talk about what the process looks like today, and why we’ve made the changes we’ve made. I want to be really clear that I’m not critiquing the people who have been threat modeling, or their work. A lot of people have put a tremendous amount of work in, and gotten some good results. There are all sorts of issues that our customers will never experience because of that work. I am critiquing the processes, saying we can do better, in places we are doing better, and I intend to ensure we continue to do better."

Here's quick links to the blog articles by Adam. Those interested in secure development need to know and use a threat modeling process, and a critical view of said processes is important, so it's good to see this healthy example:

(also via Michael Howard's blog, which is a must-read security resource, too)



Add/Read: Comments [1]
IT Security | Tech
Tuesday, 16 October 2007 08:06:07 (Pacific Standard Time, UTC-08:00)
#  Trackback

Referred by:
http://www.hiphopreviewer.com/ [Referral]
http://www.travertinetiles.net.au/ [Referral]
http://www.secretsantagenerator.com/ [Referral]
http://usaha-umkm.blog.com/info-kredit [Referral]
http://www.kendba.com/ [Referral]
http://search.daum.net/ [Referral]
http://www.resrre.com/ [Referral]
http://www.forumadd.co.uk/ [Referral]
http://www.elivestreamingtv.com/ [Referral]
http://learnguitarsolo.biz/ [Referral]
http://bodyartdesigns.biz/ [Referral]
http://www.youtube.com/watch?v=Dr3cAy8n9jw [Referral]
http://erectile-dysfunction-cured.biz/ [Referral]
http://a-beautiful-you.biz/ [Referral]
http://mymarriageworkshop.com/ [Referral]
http://www.falcoda.co.uk/ [Referral]
http://www.thedigitalcig.com/Ovale-eGo-C-Joyetech_p_334.html [Referral]
http://www.siliconedynamics.net/blog/silicone-rubber-keypad-... [Referral]
http://www.beerandbody.com/ [Referral]
http://www.findhotelsrate.com/ [Referral]
http://www.squidoo.com/pregnancywithoutpoundsreview [Referral]

More...
Tuesday, 16 October 2007 10:41:05 (Pacific Standard Time, UTC-08:00)
Hi greg -

another Microsoft security blog that is just starting to get some posts going - hackers at Microsoft:

http://blogs.msdn.com/hackers/default.aspx -


may also be of interest ...

Best,

Matthew
Matthew Mors
Comments are closed.