New MS Patterns & Practices Papers and TDD/Agile Security Woes
Two new, to me anyway, releases from Microsoft's patterns & practices group:
The Threat Modeling guide is new this month and testing has been out since January '05 apparently. The TAB I found to be an interesting document. I use to be enthrawled by the DAAB, but that has since subsided. I'll probably review this one in more detail, just because I feel the Application Blocks are not going to go away - which, should not be infered as a bad thing.
The authors and contributors of both mention Agile methodologies (funny, as today I was pondering how threat modeling and such could/should/would be approached by an Agile team). While the threat modeling document, I feel, mearly mentioned Agile methodologies - plugging MSF Agile, I might add - and did not really consider how it might be incorporated.
While I'm starting to favor less up-front, big design more and more, I have trouble ignoring the importance of threat modeling and security considerations in developing applications. Agilers, if I may coin the term, I feel, focus more on getting the immediate feedback and less on design. Great. But what happens now that you have all this wonderfully unit and acceptance tested software that, since it is now so open for extension yet closed for modification, risks having malicious code injected into it? Playing devil's advocate, I mean, everything's just an interface, right?
Maybe I'm over-simplifying things, but I don't think that I'm all that far off. It would be great to know if anyone else has thought about these aspects and to know what their actions have been to combat them...
The Threat Modeling guide is new this month and testing has been out since January '05 apparently. The TAB I found to be an interesting document. I use to be enthrawled by the DAAB, but that has since subsided. I'll probably review this one in more detail, just because I feel the Application Blocks are not going to go away - which, should not be infered as a bad thing.
The authors and contributors of both mention Agile methodologies (funny, as today I was pondering how threat modeling and such could/should/would be approached by an Agile team). While the threat modeling document, I feel, mearly mentioned Agile methodologies - plugging MSF Agile, I might add - and did not really consider how it might be incorporated.
While I'm starting to favor less up-front, big design more and more, I have trouble ignoring the importance of threat modeling and security considerations in developing applications. Agilers, if I may coin the term, I feel, focus more on getting the immediate feedback and less on design. Great. But what happens now that you have all this wonderfully unit and acceptance tested software that, since it is now so open for extension yet closed for modification, risks having malicious code injected into it? Playing devil's advocate, I mean, everything's just an interface, right?
Maybe I'm over-simplifying things, but I don't think that I'm all that far off. It would be great to know if anyone else has thought about these aspects and to know what their actions have been to combat them...
posted by Harris at
9:38 PM
0 Comments:
Post a Comment
<< Home