March 14th, 2008, 10:52 AM
Anyone here have experience with STRIDE or OCTAVE? I'm fitting together a threat modeling process and I'm interested in hearing about others experiences in this area... for instance what timeframes this process takes and what kinds of deliverables come from it (if any)....
Or whatever your company might do in terms of security process or change control...
March 14th, 2008, 03:10 PM
We used OCTAVE Method, geared for large organizations. I liked it because it was based on risk, rather than static rules. Diverse business units make static policies and approaches less than useful so the risk based approach really helped out because risk is a common element across all business lines. That said, the deliverable that came from OCTAVE was a well structured and planned approach on solving our HIPAA initiatives. CERT did produce something useful in this package because this package focuses on *what* has to be done but does not limit you on how to accomplish the work output.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
By JP in forum Miscellaneous Security Discussions
Last Post: June 5th, 2006, 02:03 AM
By Tiger Shark in forum Microsoft Security Discussions
Last Post: January 14th, 2005, 07:47 PM
By moxnix in forum *nix Security Discussions
Last Post: October 23rd, 2004, 05:28 PM
By sirrahj in forum Cosmos
Last Post: February 15th, 2003, 12:42 AM
By zigar in forum AntiVirus Discussions
Last Post: June 6th, 2002, 03:57 PM