Tech Blog

Jay's Technical blog

Modeling Threats Part3

23 November 2004
Jay Kimble

[WARNING! This is an archived post and as such there may be things broken/missing here.. you have been warned.]

So I owe you guys one more post. It's my description of the final phase of threat modeling. 

Measurement
What I was taught was that measurement is a phase that you can skip (it's not THAT important), and from a security perspective I would agree.  But from a perspective of pleasing the managers above you, I would say that this is extremely important.

In the last article, I mentioned quantifying the vulnerability (so you can say “this is a 60 vulnerability“).  I forgot to mention 1 more thing.  You should note how much you think the fix (or the method of coding + testing in an appropriate manner, etc.) will cost.  You should also quantify the vulnerability after the fix.  You will probably not see a lot of change, but if you're stopping something like SQL injection, it will provide mitigations to a number of threats.  One thing you could do is take the cost versus the number of points dropped in a mitigation (multiplied by the number of threats it appears in), and get a nice little dollar per points ratio (which sometimes makes managers happy. 

The other thing that measurement gives you (especially in the before picture) is a way to determine things about a threat.  “Should we worry about Denial of Service (DoS)?  It's going to cost a lot to mitigate, and while DoS would be a pain, it's not that big of a deal.”  It can also help you decide that maybe a new feature is way too risky.  Measurement helps the team make decisions.


DonXML points out some VB vs. C# issues...

18 November 2004
Jay Kimble

[WARNING! This is an archived post and as such there may be things broken/missing here.. you have been warned.]

First if you don't regularly read Don's blog, go here (I'll wait for you.... <whisting />  Are you done yet?  no?  <whistling some=”more” /> Now?  Good!

First of all, great post Don!  You managed to point out the issue without bashing and actually got the right issue.  After I embraced VB.Net (meaning after I used it), I began to realize that MS had dumbed down the language in a couple places to protect the Jr. level VB programmer that is prevalent within the community.  The more I look at this stuff I really wish they had created 2 languages: VB.Net and what I like to call VB6.Net. 

VB6.Net would contain as many compatibilities between VB6 and the CLR is humanly possible and VB.Net would break it all.  So a new user of the language could just skip the compatible form and learn pure VB.Net; an old school VB6 programmer could just pick up VB6.Net and be mostly compatible and very comfortable; and after a VB6.Net programmers felt comfortable they could simply move on to the fully incompatible VB.Net (leaving the shackles of VB6 behind).

I really hate it when I find these places where MS has dumbed down the language.  BTW, I know about something that is happening to the VB in VS 2005 (someone slipped up and said something to me yesterday).  I won't say it here, but it really ticks me off that features of the IDE are only available in one language (this goes for both languages). 

I have used C# in the past to convert old C/C++ apps to .Net (OK, I started porting and saw that it should be fairly easy), so I have worked in both languages and fell that I can work in both languages (although I still prefer VB... I think Don prefers C#, BTW).

I know that a number of you are going to take this point and jump on it and say C# is superior.  In some points it is.  In some points it is NOT!  I think that's the ultimate reason for multiple languages (I don't mind that you can do different stuff with C# over VB and vice versa).  I do mind when the IDE provides C# or VB.Net a feature but doesn't provide it to the other language.


Much Sadness...

17 November 2004
Jay Kimble

[WARNING! This is an archived post and as such there may be things broken/missing here.. you have been warned.]

[I know that I still owe all of you (and myself) one more post on Threat Modeling; I've bee fighting comment spam a lot lately!  It seems every time I go to blog... I'm dealing with spam and run out of time to blog].

Carl has corrected me.  How did I miss the links on the right!  Wooho!  I can get my weekly supply of zaniness from Carl, Rory, and the rest of the team.  Go ahead and move on down to the blog mint....

I'm mourning the demise of something in my life -- Google Weirdos, Ask Rory, the Weird Wide Webb, etc. -- all the bits from Dot Net Rocks that have recently been moved to the new podcasting show “Mondays.”  Unfortunately I won't be listening.  The “why” is simple.  There is no way to simply download the WMA file without using an app that supports podcasting. 

[FYI, I listen to DNR at work where life is so locked down that I can't get to certain blogs (like Scott Hanselman's), and anything with the word “mp3“ in it is blocked by default.  They have become so intrusive that they have checked out every box on the network and are uninstalling apps that they don't know about.  They've already complained about RSS Bandit (which I removed), and I heard recently that they intend to remove FireFox from every machine... in light of all this, I have off lined my blogging to my personal laptop.]   To podcast, I would have to download and install another app that would eventually be uninstalled without my being able to say anything (after all it is their machine)... I could do this on my machine, but then I would have to transfer all my audio to my laptop.

I know that Rory has recent dealt with a bit of a battle with a few people over podcasting.  I have no problems with podcasting.  I just don't appreciate being forced to buy into it in order to listen, though.  I love you guys!  and love what you're doing.  Hopefully someday I'll be able to listen to Mondays.  I hope that someday you give me a way to get the audio without subscribing to an RSS feed.  Until then I'll have to listen to the bland boring DNR.


After blog mint: QueryCommander goes open source with a new release!  Check it out here!  In case you don't remember that is the Query Analyzer replacement that offers some intellisense. 


This content spam is killing me!

12 November 2004
Jay Kimble

[WARNING! This is an archived post and as such there may be things broken/missing here.. you have been warned.]I'm about to take matters into my own hands. I'm so sick of these content spammers! I'm tempted to drift to the other side of the law. I understand why some people go rogue and start hacking spammers on the net. I'm really tempted to mount a DoS azttack against some of these content spammers (DoS = Denial of Service... efffectively I would shut them down). Maybe we could create a peer-to-peer service where we would all mount attacks against spammers like this (by committee of course). I'm just kidding, but this crap is getting old! With the stability of DotNetJunkies lately, plus the comment spam, I've considered moving my site elsewhere... I may do that yet, but something has to be done (since all I can do is waste time tracking back the IP and reporting the abuse... and as you know I recently saw that someone had the DNS hosted and there was no way to find them outside of having the french ISP give them up... I guess I could always try to hack a French company (just kidging a gain). I don't like that I don't have the power to really mitigate this problem much. (you guys aren't seeing it because it's happening on old posts).

I'm moving to MS!

11 November 2004
Jay Kimble

[WARNING! This is an archived post and as such there may be things broken/missing here.. you have been warned.]

After almost a week of being here in Seattle, I'm considering selling my home and moving here.  Don't worry Hugh (that would be my supervisor who reads my blog), I'm just joking.  Everything is free here in building 20.  Free Soda, free ice cream snacks, free popcorn, free meals (I've yet to pay for a meal yet), free broadband, and free X-Box gaming.  I'm thinking of moving my entire family to Microsoft.  We'll have to become nocturnal, but I think we can do that. 

You might think that I'm considering applying for a job in Redmond.  But why do that?  I just need a blue badge (MS employee badge, BTW).  So how do I get one without actually acquiring a job.  Last night I was hoping to hook up with Rory (He's staying in the same hotel).  I was realizing that me being a big guy I could probably take him... the problem is that he's too well know and he would be missed (he probably also know some kind of martial arts crap and could take me out in 5 seconds flat)... 

so I guess I'll either have to someday join the MS Borg or simply dream of the unlimited amounts of free stuff that is available...

BTW, sorry we couldn't hook up Rory I would have liked chatting some more.  You remind me of a combination of 2 people I know (one is about a year older than you and he has shaped about everything I know about HTML/Web programming; the other is also a programmer who always had a plethora of craziest ideas I ever heard --although the hallucinogens that he inhales probably helps him with the ideas)