WebApp Sec mailing list archives
RE: [BAD-DATE] Threat Modeling
From: "Arian J. Evans" <arian () anachronic com>
Date: Thu, 25 Nov 2004 17:50:29 -0600
Wow, this is an old threat, but I don't remember anyone passing this link at the time: MS Threat Modeling Resource Center: http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx and their free tool: http://www.microsoft.com/downloads/details.aspx?familyid=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en As for OCTAVE, yes, we work with it a lot at my workplace. I for one am not a fan of targeting and prioritization in this fashion due to the experience that it simply doesn't work. A number of the biggest holes I've found have been ones that would have been missed following a model like OCTAVE. (referring to general pen testing here.) What is your question here? Do we need an OCTAVE thread? Arian
-----Original Message----- From: D. Hohn [mailto:dmalloc () users sourceforge net] Sent: Wednesday, May 19, 2004 12:48 AM To: Mark Curphey Cc: webappsec () securityfocus com Subject: Re: [BAD-DATE] Threat Modeling -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Mark Curphey wrote: | Does anyone have any experience with the OCTAVE threat modeling methodology | from CMU ?
Current thread:
- RE: [BAD-DATE] Threat Modeling Arian J. Evans (Nov 27)