Software Security

Archive for May 2011


Threat modeling vocabulary

A few posts back, we begun a series on Threat Modeling. As we begun writing the second installment in this series, it occurred to me that I’m using a lot of threat modeling vocabulary. When I speak on threat modeling I always warn my audience that ambiguity exists in some of the (even fundamental or […]

Continue Reading...

Posted in Threat Modeling | Comments Off on Threat modeling vocabulary


When all you have is a hammer

We’ve probably all experienced organizations that rely principally on a single assessment technique (whether it be static analysis or dynamic analysis, manual or tool-based). Unfortunately, this is all too common for security practices. When this topic came up recently with the question (paraphrased), “Are there numbers that demonstrate the value of a security program making […]

Continue Reading...

Posted in Application Security, Dynamic Analysis (DAST), Static Analysis (SAST) | Comments Off on When all you have is a hammer