The linked post is Tanya Janca advising on where (and how) you can learn threat modelling for yourself. What’s threat modelling?
… a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized.
See also: Matrin Fowler’s guide to threat modelling for developers.
Tanya Janca with an evergreen list of tips and notes on the ins and outs of securely, safely, and legally reporting vulns.
Tip: Do not demand or ask for money in exchange for the vulnerability. That is extortion, and generally illegal. Plus, it will start the conversation on the wrong foot.
Tanya Janca compares and contrasts quality bugs and security bugs, arguing that they’re quite different and should be treated differently. This logic resonates with me and she has a lot of insights to share along the way. I particularly enjoyed this bit:
You cannot have a high-quality product that is insecure; it is an oxymoron. If an application is fast, beautiful and does everything the client asked for, but someone breaks into the first day that it is released, I don’t think you will find anyone willing to call it a high-quality application.
A good read all the way through to the end. 👍
Tanya leads with this as a disclaimer “This article is for beginners in security or other IT folk, not experts.” — which means this is a 101 level post BUT is a highly important topic. Share as needed.
Passwords are awful … software security industry expects us to remember 100+ passwords, that are complex (variations of upper & lowercase, numbers and special characters), that are supposed to be changed every 3 months, with each one being unique. Obviously this is impossible for most people.
Tanya goes on to say…
If you work in an IT environment, you absolutely must have a password manager. I strongly suggest that anyone who uses a computer regularly and has multiple passwords to remember to get one, even if you don’t consider yourself tech savvy.
I fully agree. I also use 1Password and have done so for as long as I can possibly remember.
Tanya Janca’s new live video show about “Sloppy DevOps” sounds like a lot of fun:
A free online show dedicated to the art of implementing DevSecOps, includes free workshops, lessons and nerd-er-ific discussions!
