I started Transvasive Security in 2008 and offered consulting services until taking a full time job in 2012. This site is an archive of my work prior to 2015; I currently blog at information-safety.org and provide security consulting through my new company, Security Differently.
Recently, I read and commented on a series of posts at The New School
blog: Threat Modeling Fails In Practice,
On Threat Modeling,
and Yet More On Threat Modeling: A Mini-Rant.
After reading both sides of the argument, I concluded that while threat modeling
can be helpful, but we need to find a better way that doesn’t require us
to brainstorm. Imagining the threats begets imaginary threats. I
strongly believe that because of our cognitive errors in estimating
risk, brainstorming threats is a mistake, and will inevitably lead to
guessing what the threats will be, guesses that are at best only
slightly better than random chance.
To that end, I believe that some of my recent work in Behavioral
Security Modeling (BSM) may be part of the solution. Threat modeling
needs to be deconstructed and integrated directly into the software
development life cycle (SDLC). Some of the benefits provided by threat
modeling in general, and
STRIDE
specifically include identifying missing requirements and potential
quality/safety issues, something that BSM is designed to help with, and
I’ve got some ideas on how to address the other elements.
Work is slowly progressing on the BSM white paper that I am using to
develop and refine the ideas from my original Behavioral Security Modelingpresentation, and
I’ve enlisted a collaborator with strong application development
experience. We’ve already discussed threat modeling, and if it’s not
directly addressed in our white paper or the presentation, (we’ll be
speaking at Secure 360!) it
certainly will be in the framework we’re building behind the scenes.
I spoke yesterday at the local (Minnesota) chapter of
ISSA, as a last-minute replacement for David
Bryan. I want to thank MN ISSA for the opportunity to speak, I thought
the talk generated some good discussion. Here are the slides from the
talk, they’re an updated version of what I posted in June.
I also want to thank Kevin Flanagan from RSA for his excellent talk on
the RSA breach. For me, it served as a reminder on the critical security
controls needed to protect against attacks, both sophisticated and
unsophisticated. It was telling that most of the things on his summary
of critical security controls were already in existence 10 years ago.
Update: while the video is no longer available on Vimeo, two copies
are available on YouTube, here
and here.
OWASP has posted video from my
talk at AppSec USA
2011. I haven’t yet built up the nerve to
watch it yet (who likes to watch themselves?), so I can’t say how good
it is, but hopefully it is interesting and informative. Update: it
seems the video is just slides & audio – which is probably a good
thing. Second Update: I’ve been told I do appear in the video – I
probably should watch more of it before updating.
I encourage you to peruse the talks list and watch the talks you may
have missed (if you were able to attend), or anything that looks
interesting (if you were not). This was my first experience with OWASP,
and I have to say I was impressed by both the openness and the
professionalism. Thanks to everyone in OWASP MSP who helped make AppSec
2011 a great success!