I met with Anil John today since he’s in town for the 2007 MVP Global Summit. I always like talking with Anil because he asks the tough questions, he has thoughtful feedback and he keeps things real.
Anil’s first question for me was why are there three different threat modeling approaches (SWI, ACE, and patterns & practices). This was easy for me since, I used to get asked this fairly regularly. Rather than focus on the implementation deltas, I focused on the context that shaped them. SWI threat modeling was born among our Microsoft product teams. ACE threat modeling was born among our internal line of business applications. patterns & practices threat modeling was born among an external set of customers, dominantly corporate line of business applications and vetted by some agile practitioners. They all work, so the trick is to figure out which one fits your scenario best.
Next, I shared my secrets for project management and personal effectiveness. It was nice to be able to finally walk Anil through some real examples and use the whiteboard as needed. Some concepts are easier to show and tell, then they are to write about in a way that sticks. (that doesn’t keep me from trying!)
Over lunch, we reflected on career paths and stories. One point that really hit home was how small the world really is. We both noted that throughout our paths, there’s always been a set of people that tend to show up time and again. One more reminder, not to burn bridges!