Threat Modeling - "Pen Testing" for your design

It is no secret that fixing bugs earlier saves a lot of time and money, helps also to meet schedule. Security bugs are no exception. What special about the security bugs is that they can be [and often are] introduced in very inital stages of app planning that is in architecture and design phase, phase when no single line of code was even written. For example, design can offer identity flow as a parameter in querystring or hidden field [why did they call it "hidden" in first place?...] - seen that many times. This is a major design security flaw that can lead to disaster like spoofed identites and elevation of privileges. How one can test for such bugs before actual coding started?

   The technique is called Threat Modeling which comprised of several straightforward steps such as collecting relevant information about the arch, technologies and data flow. Then mixing and matching all these it produces list of design phase security bugs that can be rated and according to this get fixed giving proper level of mitigation to the threats.

During upcoming TechEd we'll be giving great session by Akshay Aggarwal, who is Senior Security Technologist on MS ACE team. He was presenting this topic recently on RSA conference. Akshay will present the rationale behind the technique which can be easly applied by theoretically everyone without being Subject Matter Expert in security - cool, huh? Also he'll present the new tool MAS TAM that supports the process of threat modeling.

Check these for more info:

http://msdn.microsoft.com/library/en-us/dnpag2/html/tmwa.asp?frame=true

http://blogs.msdn.com/threatmodeling/default.aspx

http://msdn.microsoft.com/security/securecode/threatmodeling/acetm/

http://www.microsoft.com/downloads/details.aspx?familyid=aa5589bd-fb2c-40cf-aec5-dc4319b491dd&displaylang=en