[SC-L] [WEB SECURITY] Are people using Threat modeling?
AF
securecoding at nxtg.net
Wed May 12 19:49:52 EDT 2010
Yes. I mostly do TM by myself when conducting pentests. It helps me identify
critical scenarios and keep some business orientation when I don't catch
up with
flashy sql injections. TM also adds some business orientation to the
test and gives
real "field" insight to non-technical people (usually, those who pay)
about what's
at stake.
Some clients (2 ...actually) recently started showing interest in
working on building
threat models before the coding phase. That's cool. Late, but cool.
Now concerning the tools:
- 2 hours meeting with some guys from the business, a developer and the
application
business owner
- I ask questions, they answer them, I take notes
If it helps...
Antonio
> ________________________________________
> From: Matt Parsons [mparsons1980 at gmail.com]
> Sent: Tuesday, May 11, 2010 12:32 PM
> To: 'Webappsec Group'; OWASPDallas at utdallas.edu; SC-L at securecoding.org
> Subject: [WEB SECURITY] Are people using Threat modeling?
>
> Are people using threat modeling for their clients? I just started having an interest in it with my clients and it is amazing on what you find with threat modeling. I have been using the Microsoft Threat Analysis tool. What other tools are people using?
> Thanks,
> Matt
>
>
> Matt Parsons, MSM, CISSP
> 315-559-3588 Blackberry
> 817-294-3789 Home office
> "Do Good and Fear No Man"
> Fort Worth, Texas
> A.K.A The Keyboard Cowboy
> mailto:mparsons1980 at gmail.com
> http://www.parsonsisconsulting.com
> http://www.o2-ounceopen.com/o2-power-users/
> http://www.linkedin.com/in/parsonsconsulting
> http://parsonsisconsulting.blogspot.com/
> http://www.vimeo.com/8939668
> http://twitter.com/parsonsmatt
>
>
> [cid:image001.jpg at 01CAF0FD.96DE65B0]
>
> [cid:image002.jpg at 01CAF0FD.96DE65B0]
>
>
>
>
>
>
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________
>
More information about the SC-L
mailing list