April 07, 2004
Windows 2003 Server Security Review
A few people at Microsoft recently launched a blog called Channel 9 to talk about how Microsoft is building their products. One post that will be interesting to both readers of this blog is an interview with Michael Howard discussing the concept of threat modeling and how threat modeling can influence design and functionality decisions. He needs to sharpen his story, but the concept of threat modeling is new to most of the software development world. One interesting data point - the Windows 2003 Server security review team consisted of 40 people.
Two great lines of questioning for tech customers:
1. How many people are on the security review team for this product? How many of them work directly for you and how many of them were outside consultants?
2. Could you walk me through the threat model you used to design this product?
How would your sales team do with those two questions? Scary.Posted by Abner on April 7, 2004 08:10 PM