Last night I spoke to the OWASP (Open Web Application Security Project) Boston Chapter group on Threat Modeling for Web Applications. I presented some of the latest updates in Threat Modeling (in particular, those updates mentioned by Michael Howard at this year's TechEd 2005 and PDC 2005). I covered the process of Threat Modeling, and how it can be applied to Secure Web Application design, along with an interactive demonstration of whiteboarding the process. There were several great questions and discussion points.
One question that was raised at this meeting and at my last talk on the topic is: How do you get a company or business to buy into the usefulness of threat modeling? I think the value is in showing how threats can affect the very core of your business. For example, if your business deals with e-commerce, and stores credit card information, you would want to make sure that data is stored securely, transmitted reliably and securely, as well as insuring integrity of transactions and collections. There are common threats against all of these issues/vulnerabilities (i.e. the lack of any of these safeguards represents a real vulnerability). When these threats are placed in the light of compromising integrity, reliability, and ability to do business, a company can't help but look seriously at these threats and how to mitigate them.
I have posted slides from the meeting on my site. They will also be available on the OWASP Boston Chapter site as well.
Here are some references used or mentioned in my talk:
Secure Code 2: Second Edition, Threat Modeling chapter
Guerrila Threat Modeling, Peter Torr's excellent article
Threat Modeling Web Applications (there is a nice set of threat modeling templates and common threat trees listed here on the Patterns and Practices site)
Here is a resource that was not mentioned, but it is another interesting source I am looking forward to see evolve:
