I will be speaking on Threat Modeling for Web Applications at the local OWASP Boston chapter meeting on November 2, at the Microsoft, Waltham, MA offices. This may turn into more of an interactive teaching session similar to what I am doing Friday at the MAD Security Code Camp as I am seeing more interest in this way of presenting this topic. Threat modeling can be very helpful as you design your own web applications, so you are welcome to attend if you are in the area.
I have been interested to see how threat modeling has evolved over the last few years. At PDC 2005, there was an interesting summary of the current state of threat modeling during the Security Symposium. An emphasis on simplifying the exercise was stressed, especially for those who aren't security experts. The big question (in my mind): how can the typical developer and/or architect get a handle on the security design tradeoffs? You can find the slides for the Symposium at PDC here. Interesting reading.
