I have been silent for the last month or so, but I am hoping to get back into writing again. July was an eventful month for me. I turned 38 (July 10), took a family vacation (first time to be able to do so in at least 6 years!) driving across much of the USA in an RV, and I ended a contract early because of feeling underutilized and started a new one that is much more in line with my interests. I may write more later in general about how I determine what type of work will bring the most enjoyment.
In particular, I am working on architecting, securing, and helping to develop a large ASP.NET 2.0 application -- this feels more like what I enjoy. Earlier this week I found a reference (found by way of Dominick Baier) to the recently updated ASP.NET 2.0 Security Reference Implementation developed by the Patterns and Practices group. The reference implementation takes the Pet Shop 4 example and applies the PAG security guidance techniques. So far, in my review and analysis, I like what is presented and highly recommend architects and developers review it as well. There are a couple of issues pointed out here and here, but otherwise this is great stuff.
Following up on an earlier post
, the RTM of the Threat Analysis and Modeling Tool v. 2.0 has been released
by the ACE Team
). You can read more about it here
on the Threat Modeling blog
). In particular, these are the main features of the package: - TreeView Navigation with visibility to all nodes at all times
- Wizard based threat model creation
- Default Attack library with descriptive countermeasure guidance
- Automatic Threats and Use Cases generation
Consolidated Call Flow (System Flow), Attack Surface, Threat Tree are
some of the few visualizations available, which can all be exported to
- Exportable Analytics and Reports to HTML
- Import v1.0 Threat Model (models created using Torpedo v1)
- Export countermeasures and attack test cases to Visual Studio Team Foundation Server (TFS)
- Import SDM Deployment Reports from VSTA
- Copy Paste and Drag-&-Drop features
- Enhanced Find Feature
- Video Tutorials
I have been using the tool and I really like it. I plan on using it for a couple of upcoming projects and I encourage you to take a look.