Threat Modeling Again, Pulling the threat model together

MSDN Blog Postings » Threat Modeling Again, Pulling the threat model together

MSDN Blog Postings » Threat Modeling Again, Pulling the threat model together — Fri, 14 Sep 2007 20:14:50 GMT

PingBack from http://msdnrss.thecoderblogs.com/2007/09/14/threat-modeling-again-pulling-the-threat-model-together/

re: Threat Modeling Again, Pulling the threat model together

Dennis E. Hamilton — Sat, 15 Sep 2007 00:41:56 GMT

Awesome description of the objective as artifact and as actionables: "If you're not going to follow through on the process and ensure that the threats that you identified are mitigated, then [you're] just wasting your time doing the threat model."

You threw me at first, since some mitigations involve identification of contingency procedures (that is, what is worked out for the eventuality of an occurence, not only what is done up front to limit the consequences, reduce the hazard, etc.), similar to mitigation in risk analysis. I can see how, generally, what you'd have to do in the case of an embedded feature like PlaySound is close the door. Shut. Now.

I'll be seeing if you have any other kind of mitigation in your PlaySound model, although I can imagine that they all turn into black-and-white here's the defect report, here's the repair-confirmation test requirement, etc.

I think bug reports for carrying and tracking the actionables is outstanding. "Wow," I said, "oh duhh, Dennis (slaps forehead on desk)."

Great series.

re: Threat Modeling Again, Pulling the threat model together

stefan demetz — Sat, 15 Sep 2007 02:40:41 GMT

what I always wondered is why there are no mitigation (runnable scripts) when a security patch is issued

the SDL is excellent, but without quickfix mitigation (scripts) SDL is useless when there are bugs, sort of like a transaction without rollback or compensation mechanism

my dream would be Windows shutting down stuff and lock it after x time of no usage (be it port, service or feature)

re: Threat Modeling Again, Pulling the threat model together

LarryOsterman — Sat, 15 Sep 2007 10:00:11 GMT

stefan, I guess I'm confused as to what you're looking for.

The threat modeling process works BEFORE the security patches happen and is a mechanism to avoid them. If someone has to issue a security patch, it's an indication that the threat modeling process has broken down (I have a couple of posts for later in the series about how that can happen).

re: Threat Modeling Again, Pulling the threat model together

Erwin Alva — Sat, 15 Sep 2007 23:38:12 GMT

All I need to know about threat modeling I learned from Larry Osterman. Thanks a lot for the series.

Some final thoughts on Threat Modeling...

Larry Osterman's WebLog — Mon, 01 Oct 2007 19:54:17 GMT

I want to wrap up the threat modeling posts with a summary and some comments on the entire process. Yeah,

re: Threat Modeling Again, Pulling the threat model together

stefan demetz — Tue, 02 Oct 2007 15:54:55 GMT

Larry,

I do acknowledge the fact that the threat modelling works BEFORE the patches.

IIS 6 and SQL 2005 show that SDL works as they are immensely better (more secure) than their competitors.

I was only pointing out there should be a way to mitigate security bugs as they are found; ie as the threat modelling process identifies areas (entry points) where security bugs are likely to happen, an extension to the process itself *could* also be to develop a possible mitigation or lockdown of an area in form of a script, GPO, registry value which could be applied by a syadmin as soon as a vulnerability is discovered.

Wrapping up Threat Modeling

The Security Development Lifecycle — Fri, 15 Feb 2008 00:52:20 GMT

One of the critiques of the threat modeling blog posts process is that it can seem interminable. And

Wrapping up Threat Modeling

Noticias externas — Fri, 15 Feb 2008 02:14:30 GMT

One of the critiques of the threat modeling blog posts process is that it can seem interminable. And