In this forum, you’ll read my ruminations on the computer security industry, in which I work.
I’ll share anecdotes, strategies, technical directions. Perhaps through your comments, you’ll point me in a better direction? Alternatively, your practice may be shifted for the better from something that I’ve been working through? Let me know what you think.
My Security Work
I consult both independently and through several security consultancies, providing strategic technical leadership for software security with a focus on secure design, threat modelling, and risk rating. I have held numerous technical leadership positions, in security, and previously, in software development. These leadership positions include Director of Security Architecture, as well as Intel’s version of Distinguished Engineer, “Principal Engineer”. Please see my CV at LinkedIn for more detail.
My Areas of special Interest in Information Security:
- Developer-centric software security
- Threat Modelling, threat models, and secure design practices
- The Practice of Security Architecture as a discipline (always!)
- Software security (often also called, application security
- Secure Development Life cycles (SDL or S-SDLC).
- Trust Models
- Risk Modeling and risk rating systems
- Vulnerability management
Standard disclaimer applies in this blog. I speak for my self and no one else.
Hi Brook, I appreciated your collection of thoughts on threat modeling, and noted your involvement with the Threat Modeling Manifesto. Do you have any thoughts or comments on probabilistic threat modeling and the automated generation of attack graphs through the application of languages like MAL and Datalog?