P&P Day One: Architecting for Security
The sixth scheduled talk was given by Shawn Veney on Architecting for Security. This was by far the most entertaining talk of the day. Shawn is ex-military, and while he apologized for the speaking habits that history had instilled in him it was a great talk. His euphemisms were funny and well placed. His descriptions of chasing developers around with bamboo swords were great.
His talk was on getting security into your life cycle. Even if you can just get 4 hours on the project plan in the first few times you try to work this in it will help. What ever threat modeling you can do in that four hours can then start to get metrics about how much you may have prevented in costs down the line in finding these holes up front. The more you prove you are getting value add out of these security sessions and threat modeling the more time the project *** (my term, not his) will start to give you on later projects.
Resources:
- Check out http://msdn.microsoft.com/threatmodeling
- Read the P&P books on:
Over all, good stuff.