Re: [SC-L] [WEB SECURITY] Are people using Threat modeling?

2010-05-12 Thread Gary McGraw
hi matt,

In BSIMM2 (which launched today), there are some real data under the 
"Architecture Analysis" practice which show exactly how common (or not) 10 
threat modeling activities are in our population of 30 firms.  For the actual 
data, see
http://bsimm2.com/facts/ (or better yet, download BSIMM2 for the complete 
treatment).

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


On 5/11/10 2:15 PM, "Romain Gaucher"  wrote:

Yes, "we" use Threat Modeling a lot. In fact, I believe it's one of the best 
tool to conduct an efficient assessment of an application.
After, there might be no need to use tools like MS TM, but a white board and 
few hours are fine (largely correlated with the size of the apps, the scope of 
the assessment and the complexity of the architecture).
I found TM also very useful to decide which assessment framework to use (how 
much time should be used on pen-test, how much on fuzzing, how much on code 
review, etc.); no need to say though that the main problem with TM is that you 
almost need to be an expert to run it (unless you use the MS card game -- which 
I'd love to get ;)

Romain,
  Sr. consultant, Cigital | @rgaucher


From: Matt Parsons [mparsons1...@gmail.com]
Sent: Tuesday, May 11, 2010 12:32 PM
To: 'Webappsec Group'; owaspdal...@utdallas.edu; SC-L@securecoding.org
Subject: [WEB SECURITY] Are people using Threat modeling?

Are people using threat modeling for their clients?  I just started having an 
interest in it with my clients and it is amazing on what you find with threat 
modeling.   I have been using the Microsoft Threat Analysis tool.   What other 
tools are people using?
Thanks,
Matt


Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
"Do Good and Fear No Man"
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1...@gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://parsonsisconsulting.blogspot.com/
http://www.vimeo.com/8939668
http://twitter.com/parsonsmatt


[cid:image001.jpg@01CAF0FD.96DE65B0]

[cid:image002.jpg@01CAF0FD.96DE65B0]








___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] BSIMM2 (as seen on informIT)

2010-05-12 Thread Gary McGraw
hi sc-l,

Nice night for the data center to crash at informIT!

The BSIMM2 document itself is 53 pages.  A concise treatment of the results can 
be found in this month's informIT column in an article titled "BSIMM2: 
Measuring the Emergence of a Software Security Community":


Sorry for the delay.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

MUSIC http://www.amazon.com/dp/B003JPNV1I/?tag=lastfmmp3-20



On 5/12/10 8:53 AM, "gem"  wrote:

hi sc-l,

In March 2009 we announced the publication of the BSIMM---a measuring stick for 
software security.  We're pleased today to announce the publication of BSIMM2.  
We have tripled the size of the data set to thirty firms, including: Adobe, 
Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation 
(DTCC), EMC, Google, Intel, Intuit, Microsoft, Nokia, QUALCOMM, Sallie Mae, 
Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware, and 
Wells Fargo.

BSIMM2 is available for free under the creative commons license from 
.  Download your copy today.

The BSIMM2 document itself is 53 pages.  A concise treatment of the results can 
be found on the BSIMM2 web page under the "facts" tag: 


Our study represents the work of 635 people who are members of the 30 firms' 
SSGs.  Together, the firms have a collective 130 years of experience planning 
and executing 30 software security initiatives.  Among other results, we have 
identified 15 core BSIMM activities.

We think the descriptive nature of the BSIMM study is an important 
characteristic of the work.  We describe not what you should do for software 
security, but what successful software security initiatives are actually doing. 
 Use BSIMM2 to measure your own software security initiative and compare it to 
others.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

MUSIC http://www.amazon.com/dp/B003JPNV1I/?tag=lastfmmp3-20

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] BSIMM2

2010-05-12 Thread Gary McGraw
hi sc-l,

In March 2009 we announced the publication of the BSIMM---a measuring stick for 
software security.  We're pleased today to announce the publication of BSIMM2.  
We have tripled the size of the data set to thirty firms, including: Adobe, 
Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation 
(DTCC), EMC, Google, Intel, Intuit, Microsoft, Nokia, QUALCOMM, Sallie Mae, 
Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware, and 
Wells Fargo.

BSIMM2 is available for free under the creative commons license from 
.  Download your copy today.

The BSIMM2 document itself is 53 pages.  A concise treatment of the results can 
be found on the BSIMM2 web page under the "facts" tag: 


Our study represents the work of 635 people who are members of the 30 firms' 
SSGs.  Together, the firms have a collective 130 years of experience planning 
and executing 30 software security initiatives.  Among other results, we have 
identified 15 core BSIMM activities.

We think the descriptive nature of the BSIMM study is an important 
characteristic of the work.  We describe not what you should do for software 
security, but what successful software security initiatives are actually doing. 
 Use BSIMM2 to measure your own software security initiative and compare it to 
others.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

MUSIC http://www.amazon.com/dp/B003JPNV1I/?tag=lastfmmp3-20

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [WEB SECURITY] Are people using Threat modeling?

2010-05-12 Thread Romain Gaucher
Yes, "we" use Threat Modeling a lot. In fact, I believe it's one of the best 
tool to conduct an efficient assessment of an application.
After, there might be no need to use tools like MS TM, but a white board and 
few hours are fine (largely correlated with the size of the apps, the scope of 
the assessment and the complexity of the architecture).
I found TM also very useful to decide which assessment framework to use (how 
much time should be used on pen-test, how much on fuzzing, how much on code 
review, etc.); no need to say though that the main problem with TM is that you 
almost need to be an expert to run it (unless you use the MS card game -- which 
I'd love to get ;)

Romain,
  Sr. consultant, Cigital | @rgaucher


From: Matt Parsons [mparsons1...@gmail.com]
Sent: Tuesday, May 11, 2010 12:32 PM
To: 'Webappsec Group'; owaspdal...@utdallas.edu; SC-L@securecoding.org
Subject: [WEB SECURITY] Are people using Threat modeling?

Are people using threat modeling for their clients?  I just started having an 
interest in it with my clients and it is amazing on what you find with threat 
modeling.   I have been using the Microsoft Threat Analysis tool.   What other 
tools are people using?
Thanks,
Matt


Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
"Do Good and Fear No Man"
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1...@gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://parsonsisconsulting.blogspot.com/
http://www.vimeo.com/8939668
http://twitter.com/parsonsmatt


[cid:image001.jpg@01CAF0FD.96DE65B0]

[cid:image002.jpg@01CAF0FD.96DE65B0]








___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Are people using Threat modeling?

2010-05-12 Thread Matt Parsons
Are people using threat modeling for their clients?  I just started having
an interest in it with my clients and it is amazing on what you find with
threat modeling.   I have been using the Microsoft Threat Analysis tool.
What other tools are people using?   

Thanks,

Matt

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

"Do Good and Fear No Man"  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

mailto:mparsons1...@gmail.com

http://www.parsonsisconsulting.com

http://www.o2-ounceopen.com/o2-power-users/

http://www.linkedin.com/in/parsonsconsulting

http://parsonsisconsulting.blogspot.com/

http://www.vimeo.com/8939668

http://twitter.com/parsonsmatt

 

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

<><>___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] final reminder: W2SP 2010: Web 2.0 Security and Privacy 2010

2010-05-12 Thread Larry Koved
A final reminder...

W2SP 2010: Web 2.0 Security and Privacy 2010

Thursday, May 20
The Claremont Resort, Oakland, California
Web site: http://w2spconf.com/2010


The workshop chairs would like to invite you attend the 4th annual 
workshop on Web 2.0 Security and Privacy.  Started in 2007, this 
successful 
series of workshops has attracted participation from both academia and 
industry, and participants from around the world.  This workshop is held
in conjunction with the 2010 IEEE Symposium on Security and Privacy. 

The goal of this one day workshop is to bring together researchers and
practitioners from academia and industry to focus on understanding Web
2.0 security and privacy issues, and establishing new collaborations
in these areas.

This year's keynote speaker is Jeremiah Grossman, founder and CTO, 
WhiteHat Security.

Workshop registration is *still open* at 
http://www.regonline.com/Checkin.asp?EventId=810837

(Note that the IEEE Symposium on Security & Privacy registration is sold 
out.)___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___