Re: [SC-L] [WEB SECURITY] Are people using Threat modeling?

Thu, 13 May 2010 05:19:05 -0700 


Yes. I mostly do TM by myself when conducting pentests. It helps me identify
critical scenarios and keep some business orientation when I don't catch up with flashy sql injections. TM also adds some business orientation to the test and gives real "field" insight to non-technical people (usually, those who pay) about what's 
at stake.
Some clients (2 ...actually) recently started showing interest in working on building 
threat models before the coding phase. That's cool. Late, but cool.

Now concerning the tools:
- 2 hours meeting with some guys from the business, a developer and the application 
business owner
- I ask questions, they answer them, I take notes

If it helps...

Antonio



________________________________________
From: Matt Parsons [mparsons1...@gmail.com]
Sent: Tuesday, May 11, 2010 12:32 PM
To: 'Webappsec Group'; owaspdal...@utdallas.edu; SC-L@securecoding.org
Subject: [WEB SECURITY] Are people using Threat modeling?

Are people using threat modeling for their clients?  I just started having an 
interest in it with my clients and it is amazing on what you find with threat 
modeling.   I have been using the Microsoft Threat Analysis tool.   What other 
tools are people using?
Thanks,
Matt


Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
"Do Good and Fear No Man"
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1...@gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://parsonsisconsulting.blogspot.com/
http://www.vimeo.com/8939668
http://twitter.com/parsonsmatt


[cid:image001.jpg@01CAF0FD.96DE65B0]

[cid:image002.jpg@01CAF0FD.96DE65B0]








_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________


_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Reply via email to