[Owasp-dotnet] Microsoft PAG Threat Modeling Guide

Tue May 17 23:48:43 EDT 2005

Guys,

You may find this of interest...

Regards,

- Anil

------------------------------------------------------------------------
--  <http://www.securecoder.com/blog/> http://www.SecureCoder.com/blog/
-- Architecture / Integration / Security
------------------------------------------------------------------------ 

  _____  

 <http://www.securecoder.com/blog/PAGThreatModelingGuideIsNowLive.aspx>
http://www.securecoder.com/blog/PAGThreatModelingGuideIsNowLive.aspx 

The Microsoft Patterns & Practices folks have released an updated Security
Guidance regarding
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/htm
l/tmwa.asp> Threat Modeling for Web Applications.  The Threat Modeling
process as defined here is context-relevant (i.e. The threat model for a Web
App is going to be different from a Win Forms application) as well as a more
iterative process.

The iterative threat modeling process as defined here consist of:

*	Step 1: Identify security objectives. Clear objectives help you to
focus the threat modeling activity and determine how much effort to spend on
subsequent steps. 

*	Step 2: Create an application overview. Itemizing your application's
important characteristics and actors helps you to identify relevant threats
during step 4. 

*	Step 3: Decompose your application. A detailed understanding of the
mechanics of your application makes it easier for you to uncover more
relevant and more detailed threats. 

*	Step 4: Identify threats. Use details from steps 2 and 3 to identify
threats relevant to your application scenario and context. 

*	Step 5: Identify vulnerabilities. Review the layers of your
application to identify weaknesses related to your threats. Use
vulnerability categories to help you focus on those areas where mistakes are
most often made.

Beyond the above there are also Templates that can quickly get you started,
a web application security frame that uses categories to organize security
vulnerabilities, as well as Tool integration with the Visual Studio Team
System.

In short this is an great piece of work by the same folks who brought you
"Improving Web Applications Security", "Perf & Scale" and more (Way to go
J.D!)

I was fortunate enough to have the opportunity to contribute to this work as
well as act as an external reviewer. Because of that experience, I believe
that this particular work will make Threat Modeling much more approachable
and understandable to the people who really need to utilize Threat Modeling;
The developers in the trenches.

<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/htm
l/tmwa.asp> Check it out for yourself! 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-dotnet/attachments/20050517/06f002b6/attachment.html 