Microsoft's Larry Osterman On Threat Modeling

Schneier has pointed out an excellent series of blog posts about threat modeling by Microsoft's Larry Osterman. The series focuses on the PlaySound API as an example. "As you go about filling in the threat model threat list, it's important to consider the consequences of entering threats and mitigations. While it can be easy to find threats, it is important to realize that all threats have real-world consequences for the development team. At the end of the day, this process is about ensuring that our customer's machines aren't compromised. When we're deciding which threats need mitigation, we concentrate our efforts on those where the attacker can cause real damage."

I like the rest of you that have

[jsse]

misinterpreted 'threats modeling' as "a business modeling about threating the customers with the FUD against their competitors".

In the article:

Threat modeling is an analysis process that helps you better understand the attack surface of your component so you can understand what you need to do to ensure that your code is more secure. Apparently he's just talking about releasing service patches every time after being attacked.

What a relief!

Re:I have no words for this statement

[jofny]

Im just replying randomly to this post since it's as good as any other: Why do Slashdotters so often fail to differentiate between a company's business decisions and its technical capabilities? MS has a mature, well-developed threat modeling processes that works fine. That has little to do with which features are implemented in which time-frames, how well the QA on the final code is, whether or not they have to maintain backward compatitibility to feature sets and software which require old (bad) security models, etc. It's a bit more complicated than "Microsoft Baaaaaad. Linux Goooooood"

Re:I can run Linux without KDE.

[toadlife]

Your point will be valid when (and only when) Linus puts a browser into Linux. Until then, I can (and do) run Linux WITHOUT a browser. Great. Except that was not my point at all.

My point was that the integration of IE into Windows is nothing special, and the security implications of it are nothing special either. It is perfectly possible to run Windows without explorer.exe or IE or any of the dlls that they both share. You won't get any of the integrated goodness (or badness, depending on your view) and you will have to rely instead on third party apps, and glorious command line to do things like file management and administration, but it can be done. Most people don't do it because if they really wanted all that flexibility, they would not be running Windows in the first place.

Yours and other's complaints in this thread all read like, "Windows is not UNIX, therefore it is bad.". Sprinkle in ignorance of how Windows works, and in some cases ignorance of how UNIX works, and you get misinformed opinions on the issue if IE's integration.

And comparing the Linux kernel to the entirety of Windows as a whole is about a stupid as it gets.