[SC-L] [WEB SECURITY] Are people using Threat modeling?

Thu May 13 09:41:45 EDT 2010

 In my travels, the usage of threat modeling occurs whenever a security
resource is assigned to an application development project. This peaked
several years ago and now is on the decline as the trend of software
development going offshore makes it more challenging to either get a
security resource assigned to the project and/or developers wanting to
improve the quality of their deliverable and just focusing on delivering
as fast as possible.

-----Original Message-----
From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org] On Behalf Of AF
Sent: Wednesday, May 12, 2010 7:50 PM
To: sc-l at securecoding.org
Subject: Re: [SC-L] [WEB SECURITY] Are people using Threat modeling?

Yes. I mostly do TM by myself when conducting pentests. It helps me
identify critical scenarios and keep some business orientation when I
don't catch up with flashy sql injections. TM also adds some business
orientation to the test and gives real "field" insight to non-technical
people (usually, those who pay) about what's at stake.

Some clients (2 ...actually) recently started showing interest in
working on building threat models before the coding phase. That's cool.
Late, but cool.

Now concerning the tools:
- 2 hours meeting with some guys from the business, a developer and the
application business owner
- I ask questions, they answer them, I take notes

If it helps...

Antonio
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************