Printable View
Anyone here have experience with STRIDE or OCTAVE? I'm fitting together a threat modeling process and I'm interested in hearing about others experiences in this area... for instance what timeframes this process takes and what kinds of deliverables come from it (if any)....
Or whatever your company might do in terms of security process or change control...
thanks :drink:
We used OCTAVE Method, geared for large organizations. I liked it because it was based on risk, rather than static rules. Diverse business units make static policies and approaches less than useful so the risk based approach really helped out because risk is a common element across all business lines. That said, the deliverable that came from OCTAVE was a well structured and planned approach on solving our HIPAA initiatives. CERT did produce something useful in this package because this package focuses on *what* has to be done but does not limit you on how to accomplish the work output.
Anyway, FWIW.
--TH13