[WEB SECURITY] Are people using Threat modeling?

[gem at cigital.com (Gary McGraw)]

hi matt,

In BSIMM2 (which launched today), there are some real data under the "Architecture Analysis" practice which show 
exactly how common (or not) 10 threat modeling activities are in our population of 30 firms.  For the actual data, see
http://bsimm2.com/facts/ (or better yet, download BSIMM2 for the complete treatment).

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


On 5/11/10 2:15 PM, "Romain Gaucher" <rgaucher at cigital.com> wrote:

Yes, "we" use Threat Modeling a lot. In fact, I believe it's one of the best tool to conduct an efficient assessment of 
an application.
After, there might be no need to use tools like MS TM, but a white board and few hours are fine (largely correlated 
with the size of the apps, the scope of the assessment and the complexity of the architecture).
I found TM also very useful to decide which assessment framework to use (how much time should be used on pen-test, how 
much on fuzzing, how much on code review, etc.); no need to say though that the main problem with TM is that you almost 
need to be an expert to run it (unless you use the MS card game -- which I'd love to get ;)

Romain,
  Sr. consultant, Cigital | @rgaucher

________________________________________
From: Matt Parsons [mparsons1980 at gmail.com]
Sent: Tuesday, May 11, 2010 12:32 PM
To: 'Webappsec Group'; OWASPDallas at utdallas.edu; SC-L at securecoding.org
Subject: [WEB SECURITY] Are people using Threat modeling?

Are people using threat modeling for their clients?  I just started having an interest in it with my clients and it is 
amazing on what you find with threat modeling.   I have been using the Microsoft Threat Analysis tool.   What other 
tools are people using?
Thanks,
Matt


Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
"Do Good and Fear No Man"
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1980 at gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://parsonsisconsulting.blogspot.com/
http://www.vimeo.com/8939668
http://twitter.com/parsonsmatt


[cid:image001.jpg at 01CAF0FD.96DE65B0]

[cid:image002.jpg at 01CAF0FD.96DE65B0]








_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________