[WEB SECURITY] Are people using Threat modeling?

[rgaucher at cigital.com (Romain Gaucher)]

Yes, "we" use Threat Modeling a lot. In fact, I believe it's one of the best tool to conduct an efficient assessment of 
an application.
After, there might be no need to use tools like MS TM, but a white board and few hours are fine (largely correlated 
with the size of the apps, the scope of the assessment and the complexity of the architecture).
I found TM also very useful to decide which assessment framework to use (how much time should be used on pen-test, how 
much on fuzzing, how much on code review, etc.); no need to say though that the main problem with TM is that you almost 
need to be an expert to run it (unless you use the MS card game -- which I'd love to get ;)

Romain,
  Sr. consultant, Cigital | @rgaucher

________________________________________
From: Matt Parsons [mparsons1980 at gmail.com]
Sent: Tuesday, May 11, 2010 12:32 PM
To: 'Webappsec Group'; OWASPDallas at utdallas.edu; SC-L at securecoding.org
Subject: [WEB SECURITY] Are people using Threat modeling?

Are people using threat modeling for their clients?  I just started having an interest in it with my clients and it is 
amazing on what you find with threat modeling.   I have been using the Microsoft Threat Analysis tool.   What other 
tools are people using?
Thanks,
Matt


Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
"Do Good and Fear No Man"
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1980 at gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://parsonsisconsulting.blogspot.com/
http://www.vimeo.com/8939668
http://twitter.com/parsonsmatt


[cid:image001.jpg at 01CAF0FD.96DE65B0]

[cid:image002.jpg at 01CAF0FD.96DE65B0]