May 17, 2005
I haven't written much about threat modeling yet, but believe me I will. I'm just waiting until I finish writing up my talk, which I was sorely tempted to turn into an hour-long exploration of threat modeling instead of what I promised the conference planners. I mention this now because the Microsoft Patterns and Practices group has released a collection of articles on Threat Modeling Web Applications, well worth a read.
A lot of the best resources on threat modeling are coming out of Microsoft, including a chapter in Michael Howard and David LeBlanc's excellent second edition of Writing Secure Code, a chapter in Threats and Countermeasures, and of course to cap the bunch, Frank Swiderski and Window Snyder's comprehensive book, Threat Modeling. You'll find more at del.icio.us.