So, my dear readers, imagine how amazed I was to find myself being truly inspired by my CEO,  for the first time in my working life! Philippe’s “no-B.S.” approach definitely works for me. I listened to his speech at a company meeting last week and – I am serious! – that was the most interesting, visionary AND inspiring speech that I’ve heard in a long time. It was clear what we’ve been doing, what worked, what didn’t and what we need to be doing and why it will work.

I already learned more than a few things from him just by listening to him  speak or conduct a meeting (or by watching him beat up a job candidate…). For example,  one CAN be “positive, but not marketing-ish,” even if situation is difficult. If one has an issue, one has to face it with no sugarcoating rather than ’play’ positive and pretend the issue is not there. One can have BOTH a driving vision AND be attentive to customers. One CAN release something when it is ready, not a year before :-) Etc, etc.

Finally, while some choose to lay people off, we at Qualys  ARE HIRING!  Come join us and help build the SaaS security platform that actually works! Specifically, we are looking for TAMs (kind like an SE, but better :-)), PMs and a lot of engineers.

· … someone asks about your weekend plans and your answer consists of a list of Pri ones, twos, and threes.

· … you’ve ever ended a relationship using a PowerPoint presentation."

(more)

I've been meaning to talk more about what I actually do, which is help the teams within Microsoft who are threat modeling (for our boxed software) to do their jobs better.  Better means faster, cheaper or more effectively.  There are good reasons to optimize for different points on that spectrum (of better/faster/cheaper) at different times in different products.   One of the things that I've learned is that we ask a lot of developers, testers, and PMs here.  They all have some exposure to security, but terms that I've been using for years are often new to them.

Larry Osterman is a longtime MS veteran, currently working in Windows audio.  He's been a threat modeling advocate for years, and has been blogging a lot about our new processes, and describes in great detail the STRIDE per element process.   His recent posts are "Threat Modeling, Once Again," "Threat modeling again. Drawing the diagram," "Threat Modeling Again: STRIDE," "Threat modeling again, STRIDE mitigations," "Threat modeling again, what does STRIDE have to do with threat modeling," "Threat modeling again, STRIDE per element," "Threat modeling again, threat modeling playsound."

I wanted to chime in and offer up this handy chart that we use.  It's part of how we teach people to go from a diagram to a set of threats.  We used to ask them to brainstorm, and have discovered that that works a lot better with some structure.

Property	Threat	Definition	Example
Authentication	Spoofing	Impersonating something or someone else.	Pretending to be any of billg, microsoft.com or ntdll.dll
Integrity	Tampering	Modifying data or code	Modifying a DLL on disk or DVD, or a packet as it traverses the LAN.
Non-repudiation	Repudiation	Claiming to have not performed an action.	“I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!”
Confidentiality	Information Disclosure	Exposing information to someone not authorized to see it	Allowing someone to read the Windows source code; publishing a list of customers to a web site.
Availability	Denial of Service	Deny or degrade service to users	Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole.
Authorization	Elevation of Privilege	Gain capabilities without proper authorization	Allowing a remote internet user to run commands is the classic example, but going from a limited user to admin is also EoP.

[Update: fixed the table so it displays all four columns.]