Microsoft Threat Analysis & Modeling 2.0
Wed 1 Mar 2006Just back from tonight’s Microsoft Security Interchange event in Brisbane.
From a developer’s point of view, one of the key takeaway ideas was Rocky Heckman’s brief demo of Microsoft Threat Analysis & Modeling 2.0, currently in beta. This tool will definitely make it easier for developers to build more secure applications.
It’s a real pest when you discover a new security threat half-way through implementation and have to go back and re-jig the design. This hurts especially when you have honestly tried to identify all threats early in the design stage. On his own, a typical developer, not being a full-time security expert, might identify, say, 5 threats in a new application. This tool will typically show up another 25 threats and provide examples of how to deal with them.
Watch out for the release of this on March 7. More details at the Microsoft Application Threat Modeling blog.
Steve Riley gave a great presentation on Threat Assessment and introduced us to the concept of “deperimeterization“, or securing data wherever it lives, with the keys stored elsewhere!
Finally, the demo that really got everyone’s attention was Graham Elliott’s lightning demonstration of 10 increasingly-serious SQL injection and cross-site scripting attacks in 10 minutes. Enough to make one’s hair stand on end. In fact, I think my hair might be permanently stuck on end until I get my hands on the Threat Analysis & Modeling tool.
Â
