1. Make Your Mark.

2. Rocky Heckman Senior Security Technologist Enterprise Threat Modeling with TAMe SEC307

3. Make Your Mark. Related Sessions, HOLs, Certifications etc SEC08 HOL - Microsoft Threat Analysis and Modeling: Managing Risk in Your Applications

4. Make Your Mark. Agenda Threat Modeling Introduction Enterprise Threat Modeling with TAMe

5. Make Your Mark. TAM v1 (2004) TAM v2 (2006) TAM Enterprise (2007)

6. Make Your Mark. SDLC EnvisionDesignDevelopTestRelease SDL-IT App Entry / Risk Assessment Threat Modeling Internal Review Pre-Prod Assessment Post-Prod Assessment

7. Make Your Mark. Application Context Threats Attacks Vulnerabilities Countermeasures Application Team Expertise Security Team Expertise

8. Threat Analysis & Modeling v2 Demo

9. Make Your Mark. Agenda Threat Modeling Introduction Enterprise Threat Modeling with TAMe

10. Make Your Mark. Enterprise Edition

11. Make Your Mark.

13. Security Knowled ge Developme nt Team 1 Developme nt Team 2 Developme nt Team 3 Developme nt Team 4 … Developme nt Team n

14. Make Your Mark. Regulations SOX PCI HIPAA Etc. Corporate Policies Confidentiality & Proprietary Information Information Security Privacy Etc. Standards Information Classification & Handling Identity Management, LOB Application Etc. Action Items Input Validation Exception Handling Output Encoding (AntiXSS) Etc. Disconnect

15. Make Your Mark. SDLC EnvisionDesignDevelopTestRelease SDL-IT App Entry / Risk Assessment Threat Modeling Internal Review Pre-Prod Assessment Post-Prod Assessment SDL-IT & Enterprise Edition

16. Make Your Mark.

17. Application RolesComponentsData Hosting Faces … Type Technology … Handling Classification … Authentication Authorization …

18. Make Your Mark. CTL (Task Items) Attacks / Implications Standards Defends Against Complies With Actionable Items Policy Security Knowledge

19. Make Your Mark. If application handles PII and is externally facing: Utilize SSL Utilize 128 AES Encryption Display privacy policy

20. Threat Analysis & Modeling Enterprise Edition Demo

21. Make Your Mark. Resources TAM Threat Modeling Blog: http://blogs.msdn.com/threatmodeling/ http://blogs.msdn.com/threatmodeling/ Application Threat Modeling: http://msdn2.microsoft.com/en-us/security/aa570413.aspx http://msdn2.microsoft.com/en-us/security/aa570413.aspx TAM 2.1.2 Download: http://www.microsoft.com/downloads/details.aspx?familyi d=59888078-9daf-4e96-b7d1- 944703479451&displaylang=en http://www.microsoft.com/downloads/details.aspx?familyi d=59888078-9daf-4e96-b7d1- 944703479451&displaylang=en Threat Modeling Tutorials: http://msdn2.microsoft.com/en-us/security/aa570414.aspx http://msdn2.microsoft.com/en-us/security/aa570414.aspx

22. Make Your Mark. Related Sessions, HOLs, Certifications etc SEC08 HOL - Microsoft Threat Analysis and Modeling: Managing Risk in Your Applications

23. Evaluation Forms

24. Questions

25. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.