WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [BAD-DATE] Threat Modeling

From: "Arian J. Evans" <arian () anachronic com>
Date: Thu, 25 Nov 2004 17:50:29 -0600
Wow, this is an old threat, but I don't remember anyone passing this link
at the time:

MS Threat Modeling Resource Center:
http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx

and their free tool:
http://www.microsoft.com/downloads/details.aspx?familyid=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en

As for OCTAVE, yes, we work with it a lot at my workplace.

I for one am not a fan of targeting and prioritization in this fashion
due to the experience that it simply doesn't work. A number of the
biggest holes I've found have been ones that would have been missed
following a model like OCTAVE. (referring to general pen testing here.)

What is your question here? Do we need an OCTAVE thread?

Arian



-----Original Message-----
From: D. Hohn [mailto:dmalloc () users sourceforge net]
Sent: Wednesday, May 19, 2004 12:48 AM
To: Mark Curphey
Cc: webappsec () securityfocus com
Subject: Re: [BAD-DATE] Threat Modeling


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Mark Curphey wrote:
| Does anyone have any experience with the OCTAVE threat modeling
methodology | from CMU ?
Previous By Date Next
Previous By Thread Next

Current thread: