"Experiences" Threat Modeling at Microsoft

If there is one thing we can learn from the past, it is that we are doomed to repeat our failures if we ignore it.

The reciprocal is also true. If we reflect on our experiences properly, there is a lot we can learn from it.

In the world of designing secure code, this becomes more apparant as we see Microsoft's SDL process mature. Next year will hit the 10 year mark where threat modeling, as a formalized methodology, has been going on at Microsoft. In its infancy in 1999 only a few people at Microsoft were engaged in this. Now... every team is. And we can see the benefits of that when we reflect on the less critical bugs that have been reported in the last few years.

Today I cam across an interesting paper by Adam Shostack titled "Experiences Threat Modeling at Microsoft". Adam has ownership of the SDL Tool I mentioned earlier this month, and it was interesting to see his approach in explaining how Microsoft is focusing on threat modeling, and how the design is for normal developers, and NOT for security experts alone.

This is a critical point. Where in the past Microsoft has indicated it was important to do bainstorming sessions with a security expert in tow, now ownership of the model comes from the developers themselves. By designing tools that allow the architects, designers and developers to all know how to look at threats to their systems, everyone benefits. It's more cost effective. And it raises the bar as everyone thinks more critical about the security impacts of the code.

This is rather refreshing. And a good, quick read. So check out the paper.

Happy reading!