Search / 15 posts tagged threat modeling

Adam Shostack here. I'm working on a paper about "Experiences Threat Modeling at Microsoft" for an academic workshop on security modeling. I have some content that I think is pretty good, but I realize that I don't know all the questions that readers might have.

I’m finally getting around to finishing my post on minimizing attack surfaces. Here’s Part 1, in case you missed it. First, a quick clarification. I noticed that some of the readers who commented on that first post wanted to talk about improving security through the use of various development methodologies or coding frameworks.

Hi, this week is a post from Michael Howard and Laura Machado de Wright, who both attended and presented at TechEd 2008 in Orlando the week of June 2nd. First up is Laura. I have been a Security Program Manager for the last 3 years, working as a security advisor for a variety of products across Microsoft and the last seven months as a member of the SDL policy team.

What was the first thing you learned about network security? There’s a good chance it had something to do with port scanning. After scanning a few boxes, you realized that modern operating systems have a lot of open ports by default, meaning a lot of services. Some had an obvious purpose, like telnet on tcp/23 or ftp fon tcp/21.

Adam Shostack here. I wanted to share my slides from the recent Layer One conference [link], where I talked about "SDL Threat Modeling: Past, Present and Future." There are a few points that I wanted to emphasize. The first is that I'm talking about threat modeling from the perspective of the SDL.

Several enterprises are increasingly investing time and money in building application security tasks into their existing SDLCs. Some of them have also reached the conclusion that proactive approaches , like threat modeling, have more ROI than reactive approaches.

By Dan Cornell I made it back to the States after the ROOTS conference and wanted to post some comments. It was a great conference with a lot of interesting folks and I was thrilled to have the opportunity to present. On Tuesday, Andre Klingsheim and Lars-Helge Netland gave a great talk on Architectural Risk Analysis.

By Dan Cornell I made it back to the States after the ROOTS conference and wanted to post some comments. It was a great conference with a lot of interesting folks and I was thrilled to have the opportunity to present. On Tuesday, Andre Klingsheim and Lars-Helge Netland gave a great talk on Architectural Risk Analysis.

I will be speaking at the Front Range OWASP Conference (FROCo8) in Denver on June 10th. The focus of the conference to share the experiences that the speakers had around solving technical and management issues surrounding application security.

I will be speaking at the Front Range OWASP Conference (FROCo8) in Denver on June 10th. The focus of the conference to share the experiences that the speakers had around solving technical and management issues surrounding application security.