[WEB SECURITY] Re: [SC-L] [WEB SECURITY] Are people using Threat modeling?
gem at cigital.com
Wed May 12 09:29:51 EDT 2010
In BSIMM2 (which launched today), there are some real data under the "Architecture Analysis" practice which show exactly how common (or not) 10 threat modeling activities are in our population of 30 firms. For the actual data, see
http://bsimm2.com/facts/ (or better yet, download BSIMM2 for the complete treatment).
On 5/11/10 2:15 PM, "Romain Gaucher" <rgaucher at cigital.com> wrote:
Yes, "we" use Threat Modeling a lot. In fact, I believe it's one of the best tool to conduct an efficient assessment of an application.
After, there might be no need to use tools like MS TM, but a white board and few hours are fine (largely correlated with the size of the apps, the scope of the assessment and the complexity of the architecture).
I found TM also very useful to decide which assessment framework to use (how much time should be used on pen-test, how much on fuzzing, how much on code review, etc.); no need to say though that the main problem with TM is that you almost need to be an expert to run it (unless you use the MS card game -- which I'd love to get ;)
Sr. consultant, Cigital | @rgaucher
From: Matt Parsons [mparsons1980 at gmail.com]
Sent: Tuesday, May 11, 2010 12:32 PM
To: 'Webappsec Group'; OWASPDallas at utdallas.edu; SC-L at securecoding.org
Subject: [WEB SECURITY] Are people using Threat modeling?
Are people using threat modeling for their clients? I just started having an interest in it with my clients and it is amazing on what you find with threat modeling. I have been using the Microsoft Threat Analysis tool. What other tools are people using?
Matt Parsons, MSM, CISSP
817-294-3789 Home office
"Do Good and Fear No Man"
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1980 at gmail.com
[cid:image001.jpg at 01CAF0FD.96DE65B0]
[cid:image002.jpg at 01CAF0FD.96DE65B0]
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity