Yes. I mostly do TM by myself when conducting pentests. It helps me identify
critical scenarios and keep some business orientation when I don't catch
up with
flashy sql injections. TM also adds some business orientation to the
test and gives
real "field" insight to non-technical people (usually, those who pay)
about what's
at stake.
Some clients (2 ...actually) recently started showing interest in
working on building
threat models before the coding phase. That's cool. Late, but cool.
Now concerning the tools:
- 2 hours meeting with some guys from the business, a developer and the
application
business owner
- I ask questions, they answer them, I take notes
If it helps...
Antonio
________________________________________
From: Matt Parsons [mparsons1...@gmail.com]
Sent: Tuesday, May 11, 2010 12:32 PM
To: 'Webappsec Group'; owaspdal...@utdallas.edu; SC-L@securecoding.org
Subject: [WEB SECURITY] Are people using Threat modeling?
Are people using threat modeling for their clients? I just started having an
interest in it with my clients and it is amazing on what you find with threat
modeling. I have been using the Microsoft Threat Analysis tool. What other
tools are people using?
Thanks,
Matt
Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
"Do Good and Fear No Man"
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1...@gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://parsonsisconsulting.blogspot.com/
http://www.vimeo.com/8939668
http://twitter.com/parsonsmatt
[cid:image001.jpg@01CAF0FD.96DE65B0]
[cid:image002.jpg@01CAF0FD.96DE65B0]
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________