[WEB SECURITY] Are people using Threat modeling?

Peter Parker peterparker at fastmail.fm
Sun May 16 11:21:05 EDT 2010


I have been using TM for most of my audits and even for plotting complex
solutions...  Whiteboard and FreeMind are my favorites.

Cheers!
Peter


On Tue, 11 May 2010 14:15:51 -0400, "Romain Gaucher"
<rgaucher at cigital.com> said:
> Yes, "we" use Threat Modeling a lot. In fact, I believe it's one of the
> best tool to conduct an efficient assessment of an application.
> After, there might be no need to use tools like MS TM, but a white board
> and few hours are fine (largely correlated with the size of the apps, the
> scope of the assessment and the complexity of the architecture).
> I found TM also very useful to decide which assessment framework to use
> (how much time should be used on pen-test, how much on fuzzing, how much
> on code review, etc.); no need to say though that the main problem with
> TM is that you almost need to be an expert to run it (unless you use the
> MS card game -- which I'd love to get ;)
> 
> Romain,
>   Sr. consultant, Cigital | @rgaucher
> 
> ________________________________________
> From: Matt Parsons [mparsons1980 at gmail.com]
> Sent: Tuesday, May 11, 2010 12:32 PM
> To: 'Webappsec Group'; OWASPDallas at utdallas.edu; SC-L at securecoding.org
> Subject: [WEB SECURITY] Are people using Threat modeling?
> 
> Are people using threat modeling for their clients?  I just started
> having an interest in it with my clients and it is amazing on what you
> find with threat modeling.   I have been using the Microsoft Threat
> Analysis tool.   What other tools are people using?
> Thanks,
> Matt
> 
> 
> Matt Parsons, MSM, CISSP
> 315-559-3588 Blackberry
> 817-294-3789 Home office
> "Do Good and Fear No Man"
> Fort Worth, Texas
> A.K.A The Keyboard Cowboy
> mailto:mparsons1980 at gmail.com
> http://www.parsonsisconsulting.com
> http://www.o2-ounceopen.com/o2-power-users/
> http://www.linkedin.com/in/parsonsconsulting
> http://parsonsisconsulting.blogspot.com/
> http://www.vimeo.com/8939668
> http://twitter.com/parsonsmatt
> 
> 
> [cid:image001.jpg at 01CAF0FD.96DE65B0]
> 
> [cid:image002.jpg at 01CAF0FD.96DE65B0]
> 
> 
> 
> 
> 
> 
> 
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
-- 
  peter
  peterparker at fastmail.fm

-- 
http://www.fastmail.fm - Faster than the air-speed velocity of an
                          unladen european swallow


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list