Secure Coding mailing list archives

[WEB SECURITY] Are people using Threat modeling?

From: securecoding at nxtg.net (AF)
Date: Thu, 13 May 2010 01:49:52 +0200


Yes. I mostly do TM by myself when conducting pentests. It helps me identify
critical scenarios and keep some business orientation when I don't catch 
up with
flashy sql injections. TM also adds some business orientation to the 
test and gives
real "field" insight to non-technical people (usually, those who pay) 
about what's
at stake.

Some clients (2 ...actually) recently started showing interest in 
working on building
threat models before the coding phase. That's cool. Late, but cool.

Now concerning the tools:
- 2 hours meeting with some guys from the business, a developer and the 
application
business owner
- I ask questions, they answer them, I take notes

If it helps...

Antonio

________________________________________
From: Matt Parsons [mparsons1980 at gmail.com]
Sent: Tuesday, May 11, 2010 12:32 PM
To: 'Webappsec Group'; OWASPDallas at utdallas.edu; SC-L at securecoding.org
Subject: [WEB SECURITY] Are people using Threat modeling?

Are people using threat modeling for their clients?  I just started having an interest in it with my clients and it 
is amazing on what you find with threat modeling.   I have been using the Microsoft Threat Analysis tool.   What 
other tools are people using?
Thanks,
Matt

Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
"Do Good and Fear No Man"
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1980 at gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://parsonsisconsulting.blogspot.com/
http://www.vimeo.com/8939668
http://twitter.com/parsonsmatt

[cid:image001.jpg at 01CAF0FD.96DE65B0]

[cid:image002.jpg at 01CAF0FD.96DE65B0]

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Current thread:

Are people using Threat modeling? Matt Parsons (May 11)
- [WEB SECURITY] Are people using Threat modeling? Romain Gaucher (May 11)
  - [WEB SECURITY] Are people using Threat modeling? Gary McGraw (May 12)
  - [WEB SECURITY] Are people using Threat modeling? AF (May 12)
    - [WEB SECURITY] Are people using Threat modeling? Bret Watson (May 13)
    - [WEB SECURITY] Are people using Threat modeling? McGovern, James F. (P+C Technology) (May 13)