We work in a field populated by brilliant people.  But, like any field, it is also populated by charlatans.  I’m not trying to name call, but when I see a flagrant Security Development Lifecycle violation such as information disclosure of Personally Identifiable Information over a machine and trust boundary, I get upset.  At first I get mad and then I get sad.  It makes us all look bad.  It makes us all look like we don’t know what we are doing.  It huts the people whose information is disclosed, it hurts companies, it hurts livelihoods, it hurts the entire eco-system in which we all live.

I will make it simple …

If you are designing, architecting, developing or delivering software and you do not use Threat Modeling to understand what the security risks in your application are, you are committing malpractice.  If you are not using Penetration Testing, you are committing malpractice.

There are so many resources out there, so many tools out there that there is absolutely no excuse other than ignorance or incompetence.  It would have been so simple to model that information disclosure threat.  Even the most simple model will expose it …

image

That’s as simple as they get.  A mobile device requests some data from a service across machine and trust boundaries.  The FREE TOOL (well you need Visio) will tell you all about information disclosure …

image

As well as all the other threat types associated with each and every element in your model, like Spoofing.   It will also let you plan out impacts and solutions.  It will even generate reports on what threats are still outstanding to be addressed.

image

You don’t have to be a security expert, but security is everyone’s responsibility from designer to developer to architect to tester.  Remember that.  Don’t be a charlatan.  Take your craft seriously.  Please.  If you don’t, you make us all look bad.