Microsoft's Larry Osterman On Threat Modeling

Schneier has pointed out an excellent series of blog posts about threat modeling by Microsoft's Larry Osterman. The series focuses on the PlaySound API as an example. "As you go about filling in the threat model threat list, it's important to consider the consequences of entering threats and mitigations. While it can be easy to find threats, it is important to realize that all threats have real-world consequences for the development team. At the end of the day, this process is about ensuring that our customer's machines aren't compromised. When we're deciding which threats need mitigation, we concentrate our efforts on those where the attacker can cause real damage."

Re:I prefer Attack Trees.

[pegr]

Face it, no matter how secure your little bit of code is, if the SYSTEM is vulnerable, your little bit of code is vulnerable.
 
No way, baby! Larry did his homework! That PlaySound API is rock solid!

Um, did anybody else notice that the PlaySound API doesn't actually play any sounds? It just passes data to the APIs that actually do play sounds. So WTF does the PlaySound API do, really? To me, it doesn't really do anything at all...

Re:I prefer Attack Trees.

[jabuzz]

Rather than spending large chunks of time trying to work out where you don't need to bother testing your inputs you can just be paranoid from day one and trust nothing.

A threat model is about admitting we have a bad product, saying that fixing it properly is too hard /expensive so we will try and work out what the largest holes are and fix those first.