[WEB SECURITY] Re: [SC-L] [WEB SECURITY] Are people using Threat modeling?

Gary McGraw gem at cigital.com
Wed May 12 09:29:51 EDT 2010

hi matt,

In BSIMM2 (which launched today), there are some real data under the "Architecture Analysis" practice which show exactly how common (or not) 10 threat modeling activities are in our population of 30 firms.  For the actual data, see
http://bsimm2.com/facts/ (or better yet, download BSIMM2 for the complete treatment).


company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

On 5/11/10 2:15 PM, "Romain Gaucher" <rgaucher at cigital.com> wrote:

Yes, "we" use Threat Modeling a lot. In fact, I believe it's one of the best tool to conduct an efficient assessment of an application.
After, there might be no need to use tools like MS TM, but a white board and few hours are fine (largely correlated with the size of the apps, the scope of the assessment and the complexity of the architecture).
I found TM also very useful to decide which assessment framework to use (how much time should be used on pen-test, how much on fuzzing, how much on code review, etc.); no need to say though that the main problem with TM is that you almost need to be an expert to run it (unless you use the MS card game -- which I'd love to get ;)

  Sr. consultant, Cigital | @rgaucher

From: Matt Parsons [mparsons1980 at gmail.com]
Sent: Tuesday, May 11, 2010 12:32 PM
To: 'Webappsec Group'; OWASPDallas at utdallas.edu; SC-L at securecoding.org
Subject: [WEB SECURITY] Are people using Threat modeling?

Are people using threat modeling for their clients?  I just started having an interest in it with my clients and it is amazing on what you find with threat modeling.   I have been using the Microsoft Threat Analysis tool.   What other tools are people using?

Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
"Do Good and Fear No Man"
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1980 at gmail.com

[cid:image001.jpg at 01CAF0FD.96DE65B0]

[cid:image002.jpg at 01CAF0FD.96DE65B0]

Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list