More Threat Modeling at Microsoft

This is another excellent series of posts on threat modeling, this time from Microsoft's Adam Shostack. (I already blogged this series by Larry Osterman.)

Posted on March 19, 2008 at 6:47 AM • 6 Comments

Comments

Dom De VittoMarch 19, 2008 3:51 PM

A tall fence - who would have thought of that !

I guess if a fence-manufacturer could charge millions for consultancy and state-of-the-art chain-link fencing, it would have happened.

However as it's just a few quid at the DIY store, and doesn't involve officials going to foreign 'conferences' in the sun, I guess it'll never happen.

ohnoohtml!March 19, 2008 9:03 PM

Hey,

At a quick glance, it's kinda hard to tell that "of" and "posts" link to two different articles; the underlink flows through the space between the words; you simply forgot to the close the

A simple "

" should fix it. ;)

Thanks for the links, and the kickass blog!

Michael CloppertMarch 20, 2008 12:29 AM

I tend to agree with Richard Bejtlich - Microsoft still doesn't have their terminology right. Threat modeling has nothing to do with threats, but rather vulnerabilities (http://taosecurity.blogspot.com/2007/10/someone-please-explain-threats-to.html).

I'm also unimpressed with this series, and frustrated that it contributes to confusion over important terms that we should - by this day and age - all be in agreement upon within our profession. It's already difficult to communicate complex security issues to management. When mixed signals are sent on key terms, we do ourselves no favors.

Lawrence D'OliveiroMarch 22, 2008 6:12 PM

I wonder, though. Microsoft has a lot of people who are individually very smart, but I can't help thinking that, collectively, a lot of that smartness tends to cancel out, so that, as a body, the company ends up doing stupid things.

For instance, Mark Russinovich posted a long description of all the effort that went into speeding up file copying in Windows Vista. He's a smart guy--he was with the Sysinternals outfit that Microsoft bought. And yet we still have people complaining about how slow file-copying is in Vista.

SitaramApril 3, 2008 4:37 AM

@Michael Cloppert:

[this is a humorous aside, not really related to security]

About 10 years ago MS created a business strategy or something (i.e., not an actual product), and called it "Digital Nervous System", DNS for short. IIRC all the URLs had "dns" in there. Ads for it appeared in magazines like Life and Time (I remember reading one in a doctor's waiting room once).

I sometimes wonder why they "invented" a non-product, hyped it in glossy magazines, and gave it that particular abbreviation.

I know what, for instance, my dad (decidely non-techie) would have thought if he'd seen it: "hmm, I know this thing called DNS is very important to the internet, but I didn't know Microsoft made it. Wow..."

:-)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..