Wow, this is an old threat, but I don't remember anyone passing this link
at the time:

MS Threat Modeling Resource Center:
http://msdn.microsoft.com/security/securecode/threatmodeling/default.asp
x

and their free tool:
http://www.microsoft.com/downloads/details.aspx?familyid=62830f95-0e61-4
f87-88a6-e7c663444ac1&displaylang=en

As for OCTAVE, yes, we work with it a lot at my workplace.

I for one am not a fan of targeting and prioritization in this fashion
due to the experience that it simply doesn't work. A number of the
biggest holes I've found have been ones that would have been missed
following a model like OCTAVE. (referring to general pen testing here.)

What is your question here? Do we need an OCTAVE thread?

Arian

> -----Original Message-----
> From: D. Hohn [mailto:dmalloc (at) users.sourceforge (dot) net [email concealed]]
> Sent: Wednesday, May 19, 2004 12:48 AM
> To: Mark Curphey
> Cc: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: Re: [BAD-DATE] Threat Modeling
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> Mark Curphey wrote:
> | Does anyone have any experience with the OCTAVE threat modeling
> methodology | from CMU ?

[ reply ]