April 07, 2004

Windows 2003 Server Security Review

A few people at Microsoft recently launched a blog called Channel 9 to talk about how Microsoft is building their products. One post that will be interesting to both readers of this blog is an interview with Michael Howard discussing the concept of threat modeling and how threat modeling can influence design and functionality decisions. He needs to sharpen his story, but the concept of threat modeling is new to most of the software development world. One interesting data point - the Windows 2003 Server security review team consisted of 40 people.

Two great lines of questioning for tech customers:

1. How many people are on the security review team for this product? How many of them work directly for you and how many of them were outside consultants?

2. Could you walk me through the threat model you used to design this product?

How would your sales team do with those two questions? Scary.

Posted by Abner on April 7, 2004 08:10 PM
Comments ARE BROKEN Send email instead - Thanks!

Recent Entries
iPhone's SIM Locks: Hardware vs. Software vs. Lawyers
Even (or especially) contests could use a security review
Vendors Responses: Voting Machines and the Pwnie Awards
Dude "Security Rocks"
iPhone Wi-Fi Vulnerability
Harry Potter Security
iPhone Hacking & Fustrations
Let the iPhone Hacking Begin
Geer heads to Washington, Again
This Just In: DRM still doesn't work
Phishing meets Internet Advertising
How long to unlock the iPhone Operating System?
Predictive Markets For Politics
The Irony of Phone Security Google Ads
Why Biometric Fingerprint Readers Are A Waste
How to Blag an Interview
Yet another Boston marketing flub
MAC vs. Vista Security
The latest in physical security
Data Loss Archive
Guerrilla Marketing Backfires in Boston
NY Times on the "Market" For Software Vulnerabilities
Not marketing security, marketing *during* security