I enjoyed being a guest recently on Bill Murphy’s RedZone podcast. You can take a listen with a variety of tools at “
How CIOs Can Use Threat Modelling to Benefit Their Organization: Build Out Your Defenses!.”
ISACA has released a podcast that we did to talk about the “Reasonable Software Security Engineering” perspectives article. You can download the podcast at ISACA, or you can use:
There’s a really interesting podcast with Robert Hurlbut
Chris Romeo and Tony UcedaVelez on the PASTA approach to threat modeling. The whole podcast is interesting, especially hearing Chris and Tony discuss how an organization went from STRIDE to CAPEC and back again.
There’s a section where they discuss the idea of “think like an attacker,” and Chris brings up some of what I’ve written (“‘Think Like an Attacker’ is an opt-in mistake.”) I think that both Chris and Tony make excellent points, and I want to add some nuance around the frame. I don’t think the opposite of “think like an attacker” is “use a checklist,” I think it’s “reason by analogy to find threats” or “use a structured approach to finding threats.” Reasoning by analogy is, admittedly, hard for a variety of reasons, which I’ll leave aside for now. But reasoning by analogy requires that you have a group of abstracted threats, and that you consider ‘how does this threat apply to my system?’ You can use a structured approach such as STRIDE or CAPEC or an attack tree, or even an unstructured, unbounded set of threats (we call this brainstorming.) That differs from good checklists in that the items in a good checklist have clear yes or no answers. For more on my perspective on checklists, take a look at my review of Gawande’s Checklist Manifesto.
Tony’s book is “Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis“
Alan Shimmy has the nominations for the 2014 Social Security bloggers award!
New School has been nominated for most entertaining, while Emergent Chaos has been nominated for best representing the security industry and the hall of fame.
Remarkably, some software that people host on your behalf, where you have no contract or just a contract of adhesion, can change at any time.
This isn’t surprising to those who study economics, as all good New School readers try to do. However, this is a reminder/request that when you move, please resubscribe to New School. We have some interesting announcements forthcoming, and will try to get more interesting content up soon.
We’re honored to be nominated in three categories for the Security Bloggers Awards:
- Most Educational
- Most Entertaining
- Hall of Fame
On behalf of all of us who blog here, we’re honored by the nomination, and would like to ask for your vote.
We’d also like to urge you to vote for our friends at Securosis for “Best Representing the Security Industry.” We don’t think Securosis actually is the best representative of the industry today. But I think they represent what we all ought to aspire to be, a empirical, business-aware industry. So please consider them as a part of the broad “New School” sort of slate. We’d also like to put a word in for the ThreatPost podcast as a great mix of technical and non-technical content, and for Veracode for best corporate blog. We’re suggesting Veracode in large part for Chris Eng’s empirical and side-splittingly funny thought leadership videos, but also for a general avoidance of FUD in their blogging.
But whomever you like, please take a moment to vote.
This is a great video about how much of software engineering runs on folk knowledge about how software is built:
“Greg Wilson – What We Actually Know About Software Development, and Why We Believe It’s True”
There’s a very strong New School tie here. We need to study what’s being done and how well it works to figure out how to make better software more reliably.
Incidentally, at around 28 minutes in, Wilson mentions Nachi Nagappan‘s work on physical distance versus managerial distance, and then jumps to remote hires at a a startup. While I’m not sure of which paper Wilson is discussing, almost all of Nagappan’s work is done with Microsoft developers and products. As such, both have to be seen in the context of Microsoft’s deep and shared experience in shipping software. By definition, that shared experience doesn’t exist at a startup. And as to the managerial distance issue, it’s satirically discussed here. Assuming that his results generalize is a large jump, and one that I’m not sure I’d make.
I really enjoyed a conversation with Dave Birch for Consult Hyperion’s “Tomorrow’s Transactions” podcast series. The episode is here. We covered the New School, lessons learned from Zero-Knowledge Systems, and games for security and privacy.
I’m on episode 14 of the Risk Hose podcast, with co-blogger Alex.
Chris, Jay and Alex are joined by Adam Shostack and we dig into the topic of feedback loops within Information Security.
You should check it out!
Episode 14: Feedback Loops