Shostack + Friends Blog Archive

 

Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach

I’m pretty excited that an article, “Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach” [link to http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx no longer works] is in the November MSDN magazine. The theme of the magazine is “Security Fundamentals.” The article that I wrote with Shawn Hernan, Scott Lambert, and Tomasz Ostwald talks about how we threat model our products at Microsoft. I’m happy to be talking about my work, and look forward to doing more of it as the process and tools evolve.

Also in there at the conceptual level are “Secure Habits: 8 Simple Rules For Developing More Secure Code” [link to http://msdn.microsoft.com/msdnmag/issues/06/11/SecureHabits/default.aspx no longer works] by Michael Howard. Michael talks about important habits for ensuring that your software has security properties. In contrast, there’s “Extending SDL: Documenting And Evaluating The Security Guarantees Of Your Apps” [link to http://msdn.microsoft.com/msdnmag/issues/06/11/ExtendingSDL/default.aspx no longer works] by Mark Pustilnik. Mark discusses the concept of treating security feature requirements like other feature requirements and making sure they’re delivered in a way that’s focused on solving real customer problems.

At a more code-oriented level, there are articles on Single Sign On, smart cards [link to http://msdn.microsoft.com/msdnmag/issues/06/11/SmartStorage/default.aspx no longer works], and SQL security [link to http://msdn.microsoft.com/msdnmag/issues/06/11/SQLSecurity/default.aspx no longer works].

One of the cool things about writing for MSDN is they translate your article.
So feel free to read “Descubra los errores en el diseño de la seguridad con el método STRIDE” [http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx?loc=es], “Démasquez les défauts de conception en matière de sécurité à l’aide de la méthode STRIDE” [http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx?loc=fr], “Aufdecken von Fehlern im Sicherheitsentwurf mithilfe des STRIDE-Ansatzes” [http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx?loc=de], “Обнаружение недостатков безопасности при помощи STRIDE” [http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx?loc=ru], “Descoberta de falhas de design de segurança usando a abordagem STRIDE” [http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx?loc=pt], or “使用 STRIDE 方法发现安全设计缺陷” [http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx?loc=zh]. (You can read the other articles in any of those langaugages, too, but thats way more link wrangling than I want to do.)

3 comments on "Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach"

Comments are closed.