Archive for Security
Cleaning Malware On Windows: A Lesson By Mark Russinovich
Mark Russinovich, a Microsoft Technical Fellow, presented a very good session at the TechEd IT Forum last year on the topic of advanced eradication of malware on Windows machines. It’s a great session and has some useful advanced techniques for removal. It is also a very good resource for those who want to better understand how malware infects and what some of the risks are. Lots of practical information and how-tos in this one.
Fortunately, the session was recorded and is available online for anyone who wants to see it. If viruses and malware are a part of your job or if this type of security topic is of interest to you, it’s an hour and twelve minutes well-spent. I went looking for this session online hoping to find the PowerPoint and found the whole session with video and demo and everything — terrific stuff.
Safe And Productive Browsing In A Dangerous Web World
Learn the three key pillars of modern Web protection.
With a brand new infected Web page discovered every 14 seconds, the Web has now become the key vector for online hacking attacks, as well as representing a drain on productivity for many businesses. Yet the vast majority of businesses are unprotected against today’s modern Web-based malware. Few organizations have deployed proactive protection to combat the dangers and ensure that both network security and employee efficiency remain uncompromised. This paper highlights the six top tricks used by hackers and describes the three pillars of protection organizations need to safeguard their systems and resources.
Lockergnome has joined forces with TradePub.com to offer you a new, exciting, and entirely free professional resource. Visit us today to browse our selection of complimentary IT-related magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. Try it today!
PCI Compliance And Web Application Security
If you are a merchant that processes credit cards, then you are probably already well aware of PCI (Payment Card Industry), but you may not be sure how Web application security fits into the picture. You may also have heard that starting in June 2008, section 6.6 of the rules for PCI compliance will go from a “best practice” to a mandatory requirement (if not, it’s time to pay attention!), but you might not know what this means for your business. The fact is, in a perfect world you already have in place what is necessary to be compliant with not only section 6.6, but PCI rules as a whole. This is because ideally, you would have handled your Web application security practices from the start, as the applications are built, so that you are not scrambling to add security to existing applications. Unfortunately, this is often not the case - which makes now a great time for businesses to reevaluate their Web application security processes overall.
What PCI Compliance Means
A bit of background regarding PCI compliance - as credit card use has become more widespread both offline and online, and as consumer concern about security has understandably grown, the credit card industries have made an effort to ensure that sensitive information is protected. To that end, in September 2006, the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) formed the PCI Security Standards Council (SSC) and established a set of rules for what they called PCI compliance. These rules have to be followed depending on the size of a business and the number of credit card transactions handled, and if done properly will help protect consumers’ data from theft.
The Rules for PCI Compliance
There are six major categories within the standards established by the PCI SSC, which are as follows:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Within these six categories are 12 requirements that address particular issues and that are directly related to Web application security:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
Each requirement for PCI compliance is broken up into a variety of subsections that go into detail about the process, the full list of which can be viewed at www.pcicomplianceguide.org. Section 6.6 - the most important subsection regarding Web application security because it is coming under scrutiny this year - states the following:
Ensure that Web-facing applications are protected against known attacks by applying either of the following methods:
- Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
- Installing an application layer firewall in front of Web facing applications
As a result of this upcoming change, it is important for companies to have a game plan in place for Web application security. Until now, companies may not have taken PCI compliance very seriously. No major fines have been levied for noncompliance so far and the entire process may have been seen as something nonessential. But with this new change to 6.6, IT teams around the world are evaluating the strengths and weaknesses between Web application firewalls, code reviews and application assessment software which all satisfy the requirement.
What It Means for Your Business
There are two mistakes that many organizations make related to Web application security. First, many businesses and government organizations have historically focused their attention on network security rather than Web application security, and it may seem that the June 2008 deadline is coming out of nowhere and that businesses will be scrambling to achieve PCI compliance. But the fact is, your business should have ensured that all of its Web applications were secure from the beginning. PCI compliance shouldn’t be viewed as a checklist, because then all that will happen is that unreliable fixes will be applied to problems. Instead, the concept of Web application security needs to be implemented within the Web application itself. When Web application security is implemented properly, the PCI compliance requirements related to Web application security are automatically met.
As a result, the development and QA teams at businesses need to be focused on Web application security. It may be that businesses will need to take their Web applications and break them down from the start, rather than trying to install patches and fixes for PCI compliance.
Another section related to PCI compliance that could cause problems in the near future is 11, which states that security scans must be done on a regular basis. If instead of fixing Web application security issues internally, patches had been installed as an afterthought, these scans could become nightmarish because they will identify hundreds of issues that will need to be fixed. Better to take the time up front to build in Web application security measures and avoid this problem altogether.
Conclusion
Businesses that process credit cards are likely already aware that they must be PCI compliant - but they may not have worked very hard to make sure that they are. In 2008, one of the subsections of PCI compliance will become mandatory, and businesses are going to have to evaluate their Web applications very carefully. By ensuring that Web application security is built from within, rather than by adding on fixes that will only work in the short term, businesses will find that not only are they compliant with one part of the PCI standards, but that they are compliant with all of them, and that their customers’ data is secure across the board.
About the Author
Michael Sutton is a security evangelist for HP Software. Michael is responsible for educating audiences on the importance of integrating Web application security best practices throughout the application development process and works closely with the HP Software Security Labs team. The co-author of Fuzzing: Brute Force Vulnerability Discovery, Michael has his CISSP and CISA designations and is a member of ISACA.
Good Architecture And Security
The Good wireless handheld computing system provides end-to-end security across three critical links.
The Good System puts security completely in the hands of IT managers and does not require users to set security parameters or make any security decisions.
To ensure security across the entire system, enterprises must recognize and address risks across the three different links in a wireless handheld computing system:
- Perimeter or firewall security
- Transmissions/Over-the-Air (OTA) security
- Handheld security
Lockergnome has joined forces with TradePub.com to offer you a new, exciting, and entirely free professional resource. Visit us today to browse our selection of complimentary IT-related magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. Try it today!
Improving Gramm-Leach Bliley Security Compliance
Learn more about Gramm-Leach-Bliley compliance.
Security provisions of GLBA are complex and process intensive. This free guide explains how on demand security audits make GLBA compliance easier to achieve.
Lockergnome has joined forces with TradePub.com to offer you a new, exciting, and entirely free professional resource. Visit us today to browse our selection of complimentary IT-related magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. Try it today!
A Guide To Spam And Related Threats
Learn more about today’s evolving, interrelated online threats to your business, and what you can do about them.
Being open for business is synonymous with being online. Your employees need to communicate at various locations and access various types of business information stored electronically. But the openness of online business activity is synonymous with danger. The danger starts with spam, the top security threat to businesses today, which began as unwanted advertising, but is now so much more.
Understand spam, key spam-related threats, such as botnets, phishing, spyware and more, and learn about some of the spammers’ latest, most sophisticated attack patterns, such as those demonstrated in “SpamThru” and “Warezov.” Finally, see why the MessageLabs managed security solution offers superior protection against these emerging spam and spam-related threats.
Get your free information guide!
Lockergnome has joined forces with TradePub.com to offer you a new, exciting, and entirely free professional resource. Visit us today to browse our selection of complimentary IT-related magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. Try it today!
Internet Security Threat Report
Download this report to find out about the current and impending threats, and how to protect and mitigate against them.
What are the latest worldwide Internet threats?
Symantec has some of the most comprehensive sources of Internet threat data in the world. Through the Symantec Global Intelligence Network, activity is tracked across the entire Internet and reported on for a six-month period.
Download this report documenting the threat activity from January through June 2007 and find out more about:
- Shifts in the threat landscape
- Regional differences in threat activity
- Trends in global attacks, vulnerabilities, and malicious code
Get your free Internet security threat report!
Lockergnome has joined forces with TradePub.com to offer you a new, exciting, and entirely free professional resource. Visit us today to browse our selection of complimentary IT-related magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. Try it today!
Annual Security Report From IBM’s ISS: Not Looking So Good In Threat Land
IBM Internet Security Systems’ X-Force has released its annual report outlining the malicious software threat and trending landscape. In a nutshell, things are getting more complicated (landscape-wise) and the impact is becoming more technically complex. Read the report and you can directly glean as well as infer certain facts.
As malware becomes harder and harder to catch in real-time using currently-available technology (a trend that has become quite clear over the past year or more) and as the intent of the malicious software becomes more and more geared toward complete remote system control and access, the potential situation looks — I’ll just say it — pretty darned bleak.
It’s important to stay up-to-date if you’re an IT or Security professional (or hard-core geek). Here are your links:
- The ars technica article: Annual IBM security report paints worrisome picture for 2008 (includes some good side-bar thoughts)
- The full IBM report download (PDF, about 3MB): IBM Internet Security Systems X-Force 2007 Trends Statistics
Comfortable Remote-Access without Compromises
Discover why there are SSL VPNs, and why they are able to compete with other solutions in terms of security.
This white paper offers a detailed and informative discussion comparing the advantages and disadvantages of traditional VPN technologies and SSL VPN solutions and why client-based SSL VPNs, offer a valid alternative to conventional remote access software.
Get your free white paper, Comfortable Remote-Access without Compromises: SSL-VPN in comparison with traditional VPN technologies, today!
Lockergnome has joined forces with TradePub.com to offer you a new, exciting, and entirely free professional resource. Visit us today to browse our selection of complimentary IT-related magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. Try it today!
Discussing OpenID With Scott Kveton
Richard and I had a good conversation with Scott Kveton, OpenID personality extraordinaire, on the RunAs Radio podcast this week. Scott is chairman of the OpenID Foundation.
OpenID is a cool and upcoming technology and has seen significant attention in the past few weeks especially as Yahoo! became an OpenID provider, immediately followed by an announcement that Microsoft, Google, Yahoo!, IBM and Verisign had joined the board of the OpenID Foundation.
It’s time to get on-board and know what OpenID is, how it might play with other technologies in the identity and access management space, and how you can learn more. That’s what this show is all about.
Scott Kveton Shares His OpenID (MP3 link) from the RunAs Radio podcast
Richard and Greg talk to Scott Kveton about OpenID. OpenID is a single sign-on solution that could very well make the classic username and password obsolete. This is a fast half hour — you’ll find yourself wanting to listen again!
2008 Internet Security Trends
This report is designed to help highlight the key security trends of today and suggest ways to defend against the sophisticated new generation of Internet threats certain to arise in the future.
The overall trends in spam and malware can be characterized by a larger number of more targeted, stealthy, and sophisticated attacks. Specific observations include:
- Spam volume increased 100 percent, to more than 120 billion spam messages daily. That’s about 20 spam messages per day for every person on the planet.
- Spam has become more dangerous. Past spam attacks were primarily selling some type of product. In 2007, more than 83 percent of spam contained a URL. In accordance with a trend towards the blending of different malware techniques, URL-based viruses increased 256 percent.
- The “self defending bot network” was introduced. The Storm Trojan is perhaps one of the most sophisticated botnets ever observed. The quality and technical sophistication reflect that these threats are being developed by professional engineers.
- Viruses no longer make headlines, because virus writers have evolved from the previous mass distribution attacks, viruses where much more polymorphic and typically associated with the proliferation of very sophisticated botnets such as Feebs and Storm.
Lockergnome has joined forces with TradePub.com to offer you a new, exciting, and entirely free professional resource. Visit us today to browse our selection of complimentary IT-related magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. Try it today!
Inexcusable Data Center Mistake
I’m going to go off on a bit of a (somewhat grumpy) lecture here in hopes that people will stop long enough to listen. A little Gestalt therapy, if you will. Ultimately I hope at least one person recognizes a need and acts on it.
If I had a dime for every time I have personally seen this one issue bite someone in the backside, I’d be a rich man. There are a zillion things that can go wrong on a mission-critical network, but of those things there are actually just a few that account for a substantial portion of the issues that typically bring critical services down.
So, if you run a network and have not addressed the one issue I will describe below, please take the time out of your day to start a plan to remediate the problem ASAP. Along the same lines, if you are not sure where you stand with regard to the issue, or if you have never checked but you feel confident because everything works today and always has so it can’t possibly be an issue… Again, please just take the time to inspect your infrastructure and put a plan in place.
I should also say that if I had a dime for every time I’ve said exactly what you just read in the paragraph above, I’d be a rich man. I lost count long, long ago of the number of hours spent watching people try to avoid - in any way possible - checking the obvious and addressing it. Usually that’s due to those egg-on-face concerns that go along with being the guy who missed something so simple and critical (albeit not too obvious) when it came time to learn the detailed intricacies of running a high-availability network.
Okay, enough with the harshness. Time for the issue at hand.
The number one network mistake I have seen people make on IP networks, over and over again, is using the default settings on their switches and servers that cause the network interfaces to auto-negotiate the speed and duplex settings.
Seriously, if your requirement is to provide high availability and your SLAs require your services be up, do not neglect the critical (but often skipped) process of manually configuring your NICs and switches to the proper setting. Just because the interface says it’s running 100mbps and full-duplex doesn’t mean it’s working, and when your network takes a dive and you start losing packets you’ll be sorry.
Along the same lines, never assume that one half of one percent of packet loss is no big deal. Seriously, if you are seeing retransmits on your network interfaces, something is likely wrong. Also, chances are that .5% loss is not being scattered evenly across your traffic. It may all be happening at once in bursts, and that hurts - a lot.
Again, if I had a dime for every time I (or someone working with me) recommended inspecting the interface settings, recommended changing them, and flagged interfaces where traffic analysis showed data transmission loss that was obviously causing network apps to fail… Well, let’s just say it’s amazing how hard it is to convince some people that their network is the cause of the issue.
Why am I being so blatantly blunt about this? Because I hope that the message will carry, that administrator egos will be set aside, and that people will understand that the real-world evidence based on years of actual experience, proven over and over again, bears out the fact that this will eventually happen to you if you have not already taken the steps to ensure it doesn’t. Don’t let that happen. Protect that ego now, rather than waiting for it to be damaged.
Finally, don’t fall prey to the idea that just because you have high-grade HP, IBM and Dell Servers and Cisco switches that the money you (smartly) spent negates the need to set things up the right way, or that these vendors have everything figured out for you and set as defaults. Point of fact, this issue occurs just as often (if not even more so) with your expensive, data-center class hardware. In fact, Cisco switches have been somewhat famous for requiring intervention of the manual-configuration type. They even have a troubleshooting support article here that you can refer to for your configuration needs.
You have been advised. Now go do something about it. And forward this to every network administrator you know. The network (and ego) you save may be theirs. :)
Conventional Universal Threat Management Not Enough
Learn to achieve complete security coverage to address today’s increasingly complex network threats.
A fundamental truth for organizations worldwide: protecting mission-critical applications, sensitive electronic data, and underlying computing infrastructure is a challenging and never-ending task. A wide array of ongoing trends ensures that IT and security personnel will always have their hands full. Most significantly, a shift in hacker motivation has led to the development of increasingly elusive threats that are emerging and spreading at an alarming rate. Other factors include a steady flow of new vulnerabilities that need to be addressed and growing levels of user mobility and inter-connectivity among organizations - trends that introduce more “points of entry” and emphasize the need to deploy countermeasures not just at obvious Internet boundaries but throughout the internal computing environment and on individual endpoints as well. This paper covers and includes:
- The Threat Management Challenge
- The Holistic Perspective
- The Solution: Universal Threat Management
- Unified Threat Management: A Sensible Starting Point
- Dedicated Threat Management: The Key to Complete Physical Coverage
- Unified Administration: The Secret Ingredient
Get your free white paper: Because Conventional UTM is Not Enough — Universal Threat Management
Lockergnome has joined forces with TradePub.com to offer you a new, exciting, and entirely free professional resource. Visit us today to browse our selection of complimentary IT-related magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. Try it today!
Take The Endpoint Challenge And Enter A Drawing For An iPod Nano
Sign up for the Endpoint Challenge!
Take this quick challenge to find if your endpoints are secure. By taking this brief questionnaire, you will gain valuable information on aspects of endpoint security that should be considered in building out best practices against future threats.
At the end of the challenge, you will receive a scorecard that can be used for reference as you look to improving security for your laptops, desktops, and servers.
Are you up for the challenge? Take the Endpoint Challenge and you can win an iPod Nano!
Vista’s Security Center
One of the first things you should do after installing Vista is establish a baseline of security for your system. This means making a few configuration changes to make your system more secure. Vista makes this easy to accomplish with the Security Center. The Security Center offers a central location for verifying and configuring essential security options.
The Security Center in Vista lets you view the current security status of your computer and access important security settings. When you first open the Security Center you will immediately notice the four main security essentials: Firewall, Automatic Updating, Malware Protection, and Other Security Settings.
The Firewall component protects your computer from attackers when connected to a network. The Security Center will tell you whether or not the Firewall is enabled and provide you with access to firewall settings. You can quickly access firewall settings by selecting Windows Firewall. The Windows Firewall window will open where you can enable/disable the firewall and create exceptions for programs and services.
Automatic Updates protects your computer by installing security and other updates as they become available. The Security Center will indicate whether or not Automatic Updates settings have been configured on the computer. You can select Windows Update to access the related settings. From here you can manually check for updates and change the settings.
Malware protection includes Windows Defender and anti-virus software. The Security Center will indicate if there is anti-virus software installed on the computer and whether Windows Defender is out of date. You can manually check for new definitions by selecting the Windows Defender link within the Security Center.
Internet Explorer has specific security settings designed to protect your computer. You will notice that these settings are also quickly accessible through the Security Center by selecting the Internet Options link.
Finally, you can change the way that the Security Center alerts you when it detects that your computer may be at risk. It is a good idea to keep the alerts on so you know immediately when your computer may be at risk.
Kim Cameron On Being Hacked And The Unthinking Community Response
People just don’t think, research, or plug in their brains a lot of the time before speaking typing.
Such was the case the other day over at Kim Cameron’s Identity Weblog, which was defaced recently via a vulnerability in the blog application software used to drive the site. Kim is a Microsoft employee and is its Identity Architect. So he’s in a public-facing security role at the company.
As Kim points out, people came out of the woodwork in the comments on a very brief ZDNet article to slam Microsoft, its applications, the fact that the site was hacked, etc. What they did not realize, even after it was pointed out to them a few times by others, is that the site runs on a BAMP architecture (similar to LAMP, but in this case it’s BSD Unix, Apache, mySQL, and PHP).
Kim’s site runs 100% on non-Microsoft products. The vitriolic commenters on the ZDNet site slammed Microsoft technologies where none exist, and exuded the virtues of using — for example — Linux, Apache, mySQL, and PHP — the very platform that they did not take the time to discover (or even ask) had just been victimized.
You know what they say about assuming things? Yeah.
Security threats are real and exist on all platforms equally — not just IIS and Windows; not just in Windows applications. Bad programmers are bad programmers, and even when applications are well-programmed, new threats arise all the time and need to be remediated once known. There’s nothing about that fact that’s Microsoft-specific, and to assume such is irresponsible.
I like and respect Kim, and the work he has done is excellent. His evangelism of the need for better forms of identification, authentication, and credentialing has been invaluable, and his emphasis on the broad-spectrum community, not just Microsoft, is the right way to address the issues that cross all platforms and application types.
I have seen this non-thinking, just-fire-off-at-the-mouth, *nix-fixes-everything mentality backfire on people before, to great cost. Any system administrator who thinks running anything other than Windows solves their security problems or obviates the need to test, patch, review, and maintain has his or her head stuck so far in the sand we have to strain to see their backside. Thinking and reasoning is what makes people special and unique. Take the time to know the facts, understand the circumstances, and reason based in reality.
Facts: Problems exist everywhere — Windows, Linux, OSX, PHP, ASP.NET, you name it. More often than being caused by an underlying platform issue, most security vulnerabilities and exploits are the result of programming errors, a lack of defensive programming style, and poor test coverage. I’ve managed enough software development with a specific focus on security of the applications to know you can create a completely locked down platform on any of the options available, whether Linux or Windows or other. But if you don’t have a solid application, you’re screwed. It’s a lot like buying a great alarm system with laser detectors in the ceiling, trip wires on the roof, foot-think ceilings of concrete to prevent break-through, glass break sensors on explosive- and projectile-proof glass… and leaving the front door standing open.
Kudos to Kim for keeping his cool personality in the face of all this and, as always, providing a measured and reasoned response. As he says, “There’s a lot of ideology to get past in teaching people about security.” So true.
Tags: kim cameron, security, windows security, microsoft security
Network Security Assessment
How secure is your network? The best way to find out is to attack it. Network Security Assessment provides you with the tricks and tools professional security consultants use to identify and assess risks in Internet-based networks — the same penetration testing model they use to secure government, military, and commercial networks. With this book, you can adopt, refine, and reuse this testing model to design and deploy networks that are hardened and immune from attack.
Network Security Assessment demonstrates how a determined attacker scours Internet-based networks in search of vulnerable components, from the network to the application level. This new edition is up-to-date on the latest hacking techniques, but rather than focus on individual issues, it looks at the bigger picture by grouping and analyzing threats at a high level. By grouping threats in this way, you learn to create defensive strategies against entire attack categories, providing protection now and into the future.
Network Security Assessment helps you assess:
- Web services, including Microsoft IIS, Apache, Tomcat, and subsystems such as OpenSSL, Microsoft FrontPage, and Outlook Web Access (OWA)
- Web application technologies, including ASP, JSP, PHP, middleware, and backend databases such as MySQL, Oracle, and Microsoft SQL Server
- Microsoft Windows networking components, including RPC, NetBIOS, and CIFS services
- SMTP, POP-3, and IMAP email services
- IP services that provide secure inbound network access, including IPsec, Microsoft PPTP, and SSL VPNs
- Unix RPC services on Linux, Solaris, IRIX, and other platforms
- Various types of application-level vulnerabilities that hacker tools and scripts exploit
Assessment is the first step any organization should take to start managing information risks correctly. With techniques to identify and assess risks in line with CESG CHECK and NSA IAM government standards, Network Security Assessment gives you a precise method to do just that.
Tags: network security assessment, nsa, security, network
7 Essential Steps To Achieve, Measure And Prove Optimal Security Risk Reduction
Learn essential aspects of putting into place a measurable and sustainable vulnerability management program.
Rapid changes within technology and the evolving sophistication of attack methods used to infiltrate systems create the greatest set of challenges faced by IT administrators trying to keep their systems secure and within regulatory compliance. That’s why — whether protecting five servers or 5,000 — measuring the security status of your infrastructure and your organization’s ability to rapidly mitigate emerging threats need to be continuously monitored and measured.
Tags: security risk, risk reduction
Mobile Data Security Essentials For Your Changing, Growing Workforce
Mobile data encryption should not stand alone. Learn four essentials to effectively secure your mobile endpoints.
Securing data-at-rest is about more than just encrypting bits on disks. It must accommodate today’s workforce (all devices, users and locations), while consistently enforcing security rules without compromising user experience. This white paper outlines four key requirements for implementing an effective and flexible, enterprise-class mobile security solution to secure your mobile data and devices.
Tags: mobile data, security, workforce
Threat Modeling: Case Study And An Approach Used At Microsoft
I’ve worked in the financial services software industry for years. For the last couple years I ran the security division of a major online-banking software and services provider. Security is paramount in that market. The responsibility that goes along with the role is huge, but it’s a responsibility that’s shared by everyone involved. Taking security seriously can’t be something that happens after the work is done, and it can’t just happen at some milestone point in a project. It needs to be an ingrained principle, part of the way things are done from beginning to end.
Threat modeling, loosely-described, is a design process by which you examine your software application design through the eyes of the bad guys, in order to determine what your design needs to take into consideration and how it should be built to protect against malicious threats. From the design phase you take your documented threat model into development and use it as a living document throughout the development lifecycle. Or at least that’s how we did it.
Larry Osterman, who’s worked at Microsoft pretty much forever, is a pro when it comes to threat modeling and secure coding. I haven’t ever met Larry, but I’ve read his thoughts on the topic and they’re solid. He’s written before a couple times about this, and more recently (over the past month) he wrote and posted a series of excellent articles on his blog about threat modeling at Microsoft in the Windows division. If you’re into this sort of thing, as I am, it’s also very interesting to look back at his articles from the earlier years and to compare how they do things today. They’ve matured quite a bit.
I’ll leave the narrative and examples to Larry, but let me add this by way of punctuation: Threat modeling takes some time and effort, but understand that security is a critical component of quality. Reputations (and therefore businesses) depend on it. It takes a very intentional process to properly understand the landscape and to look at all the threats and vectors of attack. It’s not easy for people to shift gears. Most developers spend all their time thinking in terms of getting software to function according to customer requirements. Just as important is making sure it won’t do what the bad guys want it to do. So, if you’re ready to argue that you don’t have time to do threat modeling, I have a solid argument (several of them really, which are backed up by real-world proof) that you can’t afford not to. Threat modeling is risk management for the software industry.
And then there’s the very-real side benefit of threat modeling. When your designers and developers sit down before building the product and really start to think about all aspects of quality in a formal, documented manner, you don’t just get security improvements. They’ll be seeing and thinking about general product improvements that you just won’t get otherwise. I can’t tell you how many times someone has come to me during a threat modeling process with a look of glee in their eyes, excited to tell me “hey this threat modeling stuff is pretty cool, and we even came up with some other stuff that isn’t strictly security-related but will make it a much better product. I’m glad we did this.”
The rule of the game is strategic thought, proper defense, quality first, and better software done faster that costs less. And it can happen if you let it.
If you’re a software developer, tester or product manger and you don’t know what threat modeling is and how it works, you’re missing out on something that really should be required in this day and age. So here is what you should do:
- Read Larry’s articles, they’re quite good.
- Buy three books (you’ll notice Michael Howard is an author on them all):
- Be a leader and implement what you learn.
Tags: threat modeling, threat model, security
© 1996-2006, Lockergnome LLC. ISSN: 1095-3965. All Rights Reserved. Please read our Privacy Policy and Terms of Service. Email newsletters powered by WhatCounts. Domain registered at GnomeDOMAINS. T-shirts and Screen Printing at CustomInk. Computer service from Comtec.
- Add to iTunes
- Add to YouTube
- Add to Google
- Add to Yahoo!
- Add to AOL
- Add to Bloglines
- Add to NewsGator
- Blog Feed
- Video Feed
- Audio Feed
- Live Feed
-
-
Search
-
About
Information Technology aid for Windows, Linux, and OS X users, solid SysAdmin advice, troubleshooting links, job assistance, and more for technology pros.
- Laser Triggers Electrical Activity In Thunderstorm
- Computer Game Helps COPD Patients Breathe Better
- Getting Wired For Terahertz Computing
- High Blood Pressure May Protect Against Migraine
- No Wonder Many People Are Disappointed With Hybrids
- Location Spoofing Possible With Wi-Fi Devices
- Scientists Debate The Accuracy Of Al Gore’s Documentary “An Inconvenient Truth”
- Popcorn-Ball Design Doubles Efficiency Of Dye-Sensitized Solar Cells
- Human Values Key To The Development Of New Technologies
- Can Micro-Scaffolding Help Stem Cells Rebuild The Brain After Stroke?
- Breakthrough At Stonehenge Dig
- Nanotechnology Could Solve Lithium Battery Charging Problems
- The Future Of Solar-Powered Houses Is Clear
- Study Sheds New Light On Habits, Roles Of Blog Readers
- Revolutionary CO2 Maps Zoom In On Greenhouse Gas Sources
- Evolution On The Table Top
- Computer System Consistently Makes Most Accurate NCAA Picks
- Hybrid Computer Materials May Lead To Faster, Cheaper Technology
- Are Animals Stuck In Time?
- Foldable And Stretchable, Silicon Circuits Conform To Many Shapes
- Online Web Conferencing for Meetings
- Network Tools for Windows
- Trade in Your Cell Phones for Money
- Get Your Own Web Site
- Get a Free Audio Book
- VMware and Parallels for Virtual Machines
- Screenshots and Capture Software
- Shopping Coupons and Codes
-
Meta