hi matt, In BSIMM2 (which launched today), there are some real data under the "Architecture Analysis" practice which show exactly how common (or not) 10 threat modeling activities are in our population of 30 firms. For the actual data, see http://bsimm2.com/facts/ (or better yet, download BSIMM2 for the complete treatment).
gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 5/11/10 2:15 PM, "Romain Gaucher" <rgauc...@cigital.com> wrote: Yes, "we" use Threat Modeling a lot. In fact, I believe it's one of the best tool to conduct an efficient assessment of an application. After, there might be no need to use tools like MS TM, but a white board and few hours are fine (largely correlated with the size of the apps, the scope of the assessment and the complexity of the architecture). I found TM also very useful to decide which assessment framework to use (how much time should be used on pen-test, how much on fuzzing, how much on code review, etc.); no need to say though that the main problem with TM is that you almost need to be an expert to run it (unless you use the MS card game -- which I'd love to get ;) Romain, Sr. consultant, Cigital | @rgaucher ________________________________________ From: Matt Parsons [mparsons1...@gmail.com] Sent: Tuesday, May 11, 2010 12:32 PM To: 'Webappsec Group'; owaspdal...@utdallas.edu; SC-L@securecoding.org Subject: [WEB SECURITY] Are people using Threat modeling? Are people using threat modeling for their clients? I just started having an interest in it with my clients and it is amazing on what you find with threat modeling. I have been using the Microsoft Threat Analysis tool. What other tools are people using? Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt [cid:image001.jpg@01CAF0FD.96DE65B0] [cid:image002.jpg@01CAF0FD.96DE65B0] _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
