In my travels, the usage of threat modeling occurs whenever a security resource is assigned to an application development project. This peaked several years ago and now is on the decline as the trend of software development going offshore makes it more challenging to either get a security resource assigned to the project and/or developers wanting to improve the quality of their deliverable and just focusing on delivering as fast as possible.
-----Original Message----- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of AF Sent: Wednesday, May 12, 2010 7:50 PM To: sc-l@securecoding.org Subject: Re: [SC-L] [WEB SECURITY] Are people using Threat modeling? Yes. I mostly do TM by myself when conducting pentests. It helps me identify critical scenarios and keep some business orientation when I don't catch up with flashy sql injections. TM also adds some business orientation to the test and gives real "field" insight to non-technical people (usually, those who pay) about what's at stake. Some clients (2 ...actually) recently started showing interest in working on building threat models before the coding phase. That's cool. Late, but cool. Now concerning the tools: - 2 hours meeting with some guys from the business, a developer and the application business owner - I ask questions, they answer them, I take notes If it helps... Antonio ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
