Emergent Chaos

I'm pretty excited that an article, "Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach" is in the November MSDN magazine. The theme of the magazine is "Security Fundamentals." The article that I wrote with Shawn Hernan, Scott Lambert, and Tomasz Ostwald talks about how we threat model our products at Microsoft. I'm happy to be talking about my work, and look forward to doing more of it as the process and tools evolve.

Also in there at the conceptual level are "Secure Habits: 8 Simple Rules For Developing More Secure Code" by Michael Howard. Michael talks about important habits for ensuring that your software has security properties. In contrast, there's "Extending SDL: Documenting And Evaluating The Security Guarantees Of Your Apps" by Mark Pustilnik. Mark discusses the concept of treating security feature requirements like other feature requirements and making sure they're delivered in a way that's focused on solving real customer problems.

At a more code-oriented level, there are articles on Single Sign On, smart cards, and SQL security.

One of the cool things about writing for MSDN is they translate your article. So feel free to read "Descubra los errores en el diseño de la seguridad con el método STRIDE," "Démasquez les défauts de conception en matière de sécurité à l'aide de la méthode STRIDE," "Aufdecken von Fehlern im Sicherheitsentwurf mithilfe des STRIDE-Ansatzes," "Обнаружение недостатков безопасности при помощи STRIDE," "Descoberta de falhas de design de segurança usando a abordagem STRIDE," or "使用 STRIDE 方法发现安全设计缺陷." (You can read the other articles in any of those langaugages, too, but thats way more link wrangling than I want to do.)