Monday, March 30, 2009

The 100th post: Philosophy feeding action

As I was writing this I realized that this is my 100th post, and it therefore seemed somehow significant. With some interesting personal news to report it also provides me with the opportunity to declare a current philosophical mission statement:
No matter the activity, be it researching, advising, and disclosing ailing web applications, tracking malware attributes, or researching and documenting useful tools and methodology for incident responders and security professionals, I do it for one reason.
I simply believe it is our inherent responsibility to try to thwart miscreants in anyway possible. There are too many of them, and too few of us. Thus, the more we disclose and fix, the better we understand maliciousness, the stronger our implementations and investigations, the more secure we may become.

Two recent developments speak directly to this philosophy:
1) The Solutions Accelerators group at Microsoft, my employer, asked me to write the IT Infrastructure Threat Modeling Guide, born of an ISSA Journal toolsmith article I'd written on PTA (Practical Threat Analysis).
2) I was invited to join the APWG Internet Policy Committee, born of conversations with Dave Piscitello regarding the Anatomy of an XSS Attack.

First, with regard to the IT Infrastructure Threat Modeling Guide, this guide takes the SDL appproach to threat modeling and applies it specifically to infrastructure. When the beta goes this Friday, you can register and provide feedback here.
One can consider threats to IT infrastructure from four specific perspectives:
    1) Re-architect and re-implement to eliminate them.
    2) Apply well understood mitigations.
    3) Invent new mitigations.
    4) Accept the risk.
These are entirely viable perspectives, but the practice of threat modeling your infrastructure must precede these considerations.
To that end, the IT Infrastructure Threat Modeling Guide is designed to help IT professionals accomplish the following:
  • Identify threats that could affect their organizations’ IT infrastructures
  • Discover and mitigate design and implementation issues that could put IT. infrastructures at risk.
  • Prioritize budget and planning efforts to address the most significant threats.
  • Conduct security efforts for both new and existing IT infrastructure components in a more proactive and cost-effective manner.
Second, with regard to the APWG Internet Policy Committee, my intended focus here is to participate in guidance to help harden web services in defense against the dark arts...cybercrime, phishing, fraud, etc.
To get a better sense of what the APWG IPC is all about, see see Co-Chair Laura Mather's series on online fraud here.

As pertinent to either of these recent developments, I invite feedback and participation. Please feel free to contact me via comments here or email.
This work, this blog, my philosophy, my mission, are all carried out with you in mind, dear reader.
I thank you for your support and readership, and I look forward to the next 100 posts. | digg | Submit to Slashdot

1 comment:

mckt said...
This comment has been removed by a blog administrator.

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...