Secure Coding mailing list archives
[WEB SECURITY] Are people using Threat modeling?
From: James.McGovern at thehartford.com (McGovern, James F. (P+C Technology))
Date: Thu, 13 May 2010 09:41:45 -0400
In my travels, the usage of threat modeling occurs whenever a security resource is assigned to an application development project. This peaked several years ago and now is on the decline as the trend of software development going offshore makes it more challenging to either get a security resource assigned to the project and/or developers wanting to improve the quality of their deliverable and just focusing on delivering as fast as possible. -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of AF Sent: Wednesday, May 12, 2010 7:50 PM To: sc-l at securecoding.org Subject: Re: [SC-L] [WEB SECURITY] Are people using Threat modeling? Yes. I mostly do TM by myself when conducting pentests. It helps me identify critical scenarios and keep some business orientation when I don't catch up with flashy sql injections. TM also adds some business orientation to the test and gives real "field" insight to non-technical people (usually, those who pay) about what's at stake. Some clients (2 ...actually) recently started showing interest in working on building threat models before the coding phase. That's cool. Late, but cool. Now concerning the tools: - 2 hours meeting with some guys from the business, a developer and the application business owner - I ask questions, they answer them, I take notes If it helps... Antonio ************************************************************ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************
Current thread:
- Are people using Threat modeling? Matt Parsons (May 11)
- [WEB SECURITY] Are people using Threat modeling? Romain Gaucher (May 11)
- [WEB SECURITY] Are people using Threat modeling? Gary McGraw (May 12)
- [WEB SECURITY] Are people using Threat modeling? AF (May 12)
- [WEB SECURITY] Are people using Threat modeling? Bret Watson (May 13)
- [WEB SECURITY] Are people using Threat modeling? McGovern, James F. (P+C Technology) (May 13)
- [WEB SECURITY] Are people using Threat modeling? Romain Gaucher (May 11)