Secure Coding mailing list archives
[WEB SECURITY] Are people using Threat modeling?
From: securecoding at nxtg.net (AF)
Date: Thu, 13 May 2010 01:49:52 +0200
Yes. I mostly do TM by myself when conducting pentests. It helps me identify critical scenarios and keep some business orientation when I don't catch up with flashy sql injections. TM also adds some business orientation to the test and gives real "field" insight to non-technical people (usually, those who pay) about what's at stake. Some clients (2 ...actually) recently started showing interest in working on building threat models before the coding phase. That's cool. Late, but cool. Now concerning the tools: - 2 hours meeting with some guys from the business, a developer and the application business owner - I ask questions, they answer them, I take notes If it helps... Antonio
________________________________________ From: Matt Parsons [mparsons1980 at gmail.com] Sent: Tuesday, May 11, 2010 12:32 PM To: 'Webappsec Group'; OWASPDallas at utdallas.edu; SC-L at securecoding.org Subject: [WEB SECURITY] Are people using Threat modeling? Are people using threat modeling for their clients? I just started having an interest in it with my clients and it is amazing on what you find with threat modeling. I have been using the Microsoft Threat Analysis tool. What other tools are people using? Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1980 at gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt [cid:image001.jpg at 01CAF0FD.96DE65B0] [cid:image002.jpg at 01CAF0FD.96DE65B0] _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Are people using Threat modeling? Matt Parsons (May 11)
- [WEB SECURITY] Are people using Threat modeling? Romain Gaucher (May 11)
- [WEB SECURITY] Are people using Threat modeling? Gary McGraw (May 12)
- [WEB SECURITY] Are people using Threat modeling? AF (May 12)
- [WEB SECURITY] Are people using Threat modeling? Bret Watson (May 13)
- [WEB SECURITY] Are people using Threat modeling? McGovern, James F. (P+C Technology) (May 13)
- [WEB SECURITY] Are people using Threat modeling? Romain Gaucher (May 11)