Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

Security Development Lifecycle book and Threat Tree Patterns

Friday, June 16, 2006 Comments

 .NET   ArchitecturePatterns   Books   Personal   Security 
Share:   Share on LinkedIn    Share on Twitter    Share on Google+    Share on Facebook   

I bought Michael Howard's and Steve Lipner's book The Security Development Lifecycle here at TechEd 2006 today. Michael has a description and purpose of the book as well as a table of contents on his blog.

One thing I noticed immediately is the list of Threat Tree Patterns in its own chapter. I remember I had a question about these at one of my talks on Threat Modeling as I included a slide from one of  Michael's decks that mentioned this concept. Threat Tree Patterns really help in the modeling process as these are well known and common types of threat scenarios to look for in your application. Previously, with the DREAD style, you had to think of these yourself, and if you weren't a security expert you might miss several things. So, it helps to look at the patterns. Unfortunately, these patterns weren't readily available at the time, but now they are finally added to this book. Great!

I have read several SDL papers over the last couple of years and watched how Microsoft has fine-tuned the process. I think this will be a great read for every developer as they think through applying secure development at every stage of the software development lifecycle.
Share:   Share on LinkedIn    Share on Twitter    Share on Google+    Share on Facebook