High ROI Security Activities

You can create effective security activities based on the high ROI engineering activities: Security design guidelines Security architecture and design review Security code review Security testing Security deployment review Rather than interspersing security in your existing activities, factor security into its own set of activities.  Factoring security into its own workstream of quality control, keeps…

5

Security Approaches That Don’t Work

If it’s not broken, then don’t fix it … The problem is, you may have an approach that isn’t working, or it’s not as efficient as it could be, but you may not even know it.  Let’s take a quick look at some broken approaches and get to the bottom of why they fail.  If…

3

Context Precision

A Web application is not a component is not a desktop application is not a Web service. If I gave you an approach to threat model a Web application, you can probably stretch the rubber band to fit Web services too. You could probably even bend it to work for components or mobile applications. The…

4

Threat Modeling Terms and How To Use Them

I see a lot of confusion over terms when it comes to threat modeling.  The terms matter because they shape focus.  For example if you confuse threats with attacks, you’ve limited what you’re looking for. There are the terms we used when we created our How To Threat Model Web Applications: Asset. An asset is…

1