Security Bytes

Dec 4 2008   12:15PM GMT

Inside the Microsoft SDL and threat-modeling process

David Schneier David Schneier Profile: David Schneier

After being criticized for years for being completely opaque and obtuse about virtually everything that goes on inside the walls in Redmond, Microsoft has swung pretty far in the other direction lately, at least when the topic is security. The company has been very open about the processes and tools that it has used in its Trustworthy Computing effort, to the point of releasing books on its software security practices and inviting outside experts in for its semi-annual Blue Hat confabs. Microsoft’s latest effort in this long, drum-banging, kimono-opening, insert-evangelism-cliche-here process isa series of videos recorded during the invitation-only Blue Hat meetings. The company has posted a number of them on its TechNet site, including a video on Microsoft’s threat-modeling process, starring Adam Shostack.

The video, which also includes a segment with Danny Dhillon, a senior security consultant at EMC, explaining the company’s threat-modeling program, has a pretty good, if quick, overview of Microsoft’s program. Shostack spends much of his time in the video comparing Microsoft’s and EMC’s programs, which he says are “remarkably similar.” The companies have different terminologies and structures, but the basic ideas and goals are the same. The great thing about this video, as well as the others Microsoft has posted, and the other assorted content it’s been churning out related to its SDL and other processes, is that it can serve as a nice, free education for developers. For the vast majority of development organizations without the resources that Microsoft has, this content can be a great foundation for further investigation. Think of it as the technical equivalent of those free online courses from MIT.

Video of the rest of the sessions from the fall Blue Hat meetings are online as well, so take advantage of Microsoft’s legwork and largess and feed your mind.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: