At Microsoft, we have been using various forms of threat modeling for years now, and we're always learning new ways to improve the process. By "improve" I mean make the process faster, a more efficient use of time and easier to understand. Heading this effort is Adam Shostack, and over the last few weeks he has written some blog posts about where we're heading with the process...
You can read his articles over on the SDL blog:
- The Trouble with Threat Modeling
- The New Threat Modeling Process
- Getting into the Flow With Threat Modeling
Feel free to ask questions or post comments.