Transvasive Security

the human factor

I started Transvasive Security in 2008 and offered consulting services until taking a full time job in 2012. This site is an archive of my work prior to 2015; I currently blog at information-safety.org and provide security consulting through my new company, Security Differently.

Threat Modeling

Recently, I read and commented on a series of posts at The New School blog: Threat Modeling Fails In Practice, On Threat Modeling, and Yet More On Threat Modeling: A Mini-Rant. After reading both sides of the argument, I concluded that while threat modeling can be helpful, but we need to find a better way that doesn’t require us to brainstorm. Imagining the threats begets imaginary threats. I strongly believe that because of our cognitive errors in estimating risk, brainstorming threats is a mistake, and will inevitably lead to guessing what the threats will be, guesses that are at best only slightly better than random chance.

To that end, I believe that some of my recent work in Behavioral Security Modeling (BSM) may be part of the solution. Threat modeling needs to be deconstructed and integrated directly into the software development life cycle (SDLC). Some of the benefits provided by threat modeling in general, and STRIDE specifically include identifying missing requirements and potential quality/safety issues, something that BSM is designed to help with, and I’ve got some ideas on how to address the other elements.

Work is slowly progressing on the BSM white paper that I am using to develop and refine the ideas from my original Behavioral Security Modeling presentation, and I’ve enlisted a collaborator with strong application development experience. We’ve already discussed threat modeling, and if it’s not directly addressed in our white paper or the presentation, (we’ll be speaking at Secure 360!) it certainly will be in the framework we’re building behind the scenes.

Introduction to Behavioral Information Security Presentation (updated)

I spoke yesterday at the local (Minnesota) chapter of ISSA, as a last-minute replacement for David Bryan. I want to thank MN ISSA for the opportunity to speak, I thought the talk generated some good discussion. Here are the slides from the talk, they’re an updated version of what I posted in June.

Behavioral Information Security: An Introduction

I also want to thank Kevin Flanagan from RSA for his excellent talk on the RSA breach. For me, it served as a reminder on the critical security controls needed to protect against attacks, both sophisticated and unsophisticated. It was telling that most of the things on his summary of critical security controls were already in existence 10 years ago.

Updated: MN ISSA has posted a video of my talk

Video from AppSec USA 2011 now available

Update: while the video is no longer available on Vimeo, two copies are available on YouTube, here and here.

OWASP has posted video from my talk at AppSec USA 2011. I haven’t yet built up the nerve to watch it yet (who likes to watch themselves?), so I can’t say how good it is, but hopefully it is interesting and informative. Update: it seems the video is just slides & audio – which is probably a good thing. Second Update: I’ve been told I do appear in the video – I probably should watch more of it before updating.

Behavioral Security Modeling Video

I encourage you to peruse the talks list and watch the talks you may have missed (if you were able to attend), or anything that looks interesting (if you were not). This was my first experience with OWASP, and I have to say I was impressed by both the openness and the professionalism. Thanks to everyone in OWASP MSP who helped make AppSec 2011 a great success!