A few people at Microsoft recently launched a blog called Channel 9 to talk about how Microsoft is building their products. One post that will be interesting to both readers of this blog is an interview with Michael Howard discussing the concept of threat modeling and how threat modeling can influence design and functionality decisions. He needs to sharpen his story, but the concept of threat modeling is new to most of the software development world. One interesting data point - the Windows 2003 Server security review team consisted of 40 people.
Two great lines of questioning for tech customers:
1. How many people are on the security review team for this product? How many of them work directly for you and how many of them were outside consultants?
2. Could you walk me through the threat model you used to design this product?
How would your sales team do with those two questions? Scary.
Another software company's claims of quality and security have been debunked by a part time security researcher (he's a biologist at Harvard.)
Instead of dealing the problem by fixing the vulnerability or providing a technical response to the claim (like most large and grown up software companies,) Tegam has decided to sue the offending researcher.
Observe as this incident turns into another a text book case on turning a software flaw into a bonafide PR disaster.