Yes, "we" use Threat Modeling a lot. In fact, I believe it's one of the best tool to conduct an efficient assessment of an application. After, there might be no need to use tools like MS TM, but a white board and few hours are fine (largely correlated with the size of the apps, the scope of the assessment and the complexity of the architecture). I found TM also very useful to decide which assessment framework to use (how much time should be used on pen-test, how much on fuzzing, how much on code review, etc.); no need to say though that the main problem with TM is that you almost need to be an expert to run it (unless you use the MS card game -- which I'd love to get ;)
Romain, Sr. consultant, Cigital | @rgaucher ________________________________________ From: Matt Parsons [mparsons1...@gmail.com] Sent: Tuesday, May 11, 2010 12:32 PM To: 'Webappsec Group'; owaspdal...@utdallas.edu; SC-L@securecoding.org Subject: [WEB SECURITY] Are people using Threat modeling? Are people using threat modeling for their clients? I just started having an interest in it with my clients and it is amazing on what you find with threat modeling. I have been using the Microsoft Threat Analysis tool. What other tools are people using? Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt [cid:image001.jpg@01CAF0FD.96DE65B0] [cid:image002.jpg@01CAF0FD.96DE65B0] _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________