Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Larry Osterman On Threat Modeling

Posted by ScuttleMonkey on from the they-threat-model-at-microsoft dept.

Schneier has pointed out an excellent series of blog posts about threat modeling by Microsoft's Larry Osterman. The series focuses on the PlaySound API as an example. "As you go about filling in the threat model threat list, it's important to consider the consequences of entering threats and mitigations. While it can be easy to find threats, it is important to realize that all threats have real-world consequences for the development team. At the end of the day, this process is about ensuring that our customer's machines aren't compromised. When we're deciding which threats need mitigation, we concentrate our efforts on those where the attacker can cause real damage."

2 of 113 comments (clear)

  1. Standard Microsoft Threat Modeling Dialog by eldavojohn · · Score: 3, Funny

    Consumer: My company doesn't need Vista, we're using Linux which has about the same amount of bumps and hiccups.
    Microsoft: You mean you're using an operating system that validates over 450 of our patents?
    Consumer: Well, I know that isn't true but ...
    Microsoft: But it'd be a shame if your company was ever engaged with our world class legal team instead of being a 'partner' with the largest software maker ever?
    Consumer: But we only have 20 employees.
    Microsoft: We know--perhaps you'd be interested in purchasing a copy of our lap dog here, Novell's SUSE?
    Consumer: But we already use Red Hat ...
    Microsoft: We heavily suggest you re-evaluate SUSE and when you do your trade study please do note that it's the only Microsoft Certified Genuine Linux. Also, it would be a shame if we had to exercise our patent portfolio on Red Hat and subsequently ... well, no reason to get into details. Have a nice day!

    --
    My work here is dung.
  2. That's got to be a hell of a job by Skyshadow · · Score: 5, Insightful

    Try to imagine this guy's work day: He gets to wake up in the morning, hug his kids and then go into work and spend all day trying to figure out the right combination of security defaults that will (a) let people go out and do stuff while (b) protecting them from their own "I'm a average Windows user" level of abject stupidity.

    Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once.

    As much as it's fun to give MS shit for their products, I think I'd last about two hours in that position before I went into the executive washroom and slashed my wrists.

    --
    Every year during my review, I just pray the words "slashdot.org" aren't mentioned.