Involve your team members when you do your threat modeling.

Most of the companies I worked for or know about have a bizarre threat modeling process. They count on the architect or the most knowledgeable person to do the threat modeling. It’s defined as a one-person job!

If your goal is to do it, because it’s one of the required artifacts for your service to go in production or any other stage, it may be the right approach. But this is no threat modeling; it’s a false sense of security. You call for harmful attempts against your system because you put all the eggs in one basket. 

It’s the exact opposite of the goal of a threat modeling session.

Involve your team members when you do your threat modeling.

Every person in your team has a unique perspective and a way of thinking about possible threats against any system. 

Every person has a different experience compared to the others. 

Every person has different emotions and morale. 

All of those qualities play a critical role in the threat modeling process.

Let me give you an example:

I started a fun and useful exercise, explaining the threat modeling goal by bringing people together in front of a virtual whiteboard and doing a threat modeling against a beer tap infrastructure. 

The challenge

We have a yard with a few doors to enter it. We also have the beer tap, a pressure system, key storage, and some power controls. We have two boundaries to protect.

The team members were encouraged to “go wild” and think just for 7 min about all possible threats they see against the infrastructure individually. 

Then I asked them to put virtual “sticky” notes near the components that could be threatened and discuss the findings as a team.

I did that with six groups from different geo-locations, and every time, I received different results. 90% of the threats were common, but 10% of them differed from group to group. This is how you make your modeling better.

To compare, I asked a few people to do this exercise alone for the same time, and the difference I saw was that the wisdom of the crowd identified with 40% more threats than a single individual. If this is not hard proof, which is it?

Involve your team members when you do your threat modeling. It’s the first step into your journey towards creating a bit more secure products.

The SEO Is Not Enough.

It’s not a secret, I am one of the few guys left on the planet who do not believe in the magic of SEO.

I believe SEO methods are good, but they must be combined with user prediction models and utilizing user behavior for better content serving.

WThe SEO is not enoughhy am I writing this? Well I think it’s time now to talk about it. I am sure first position on Google or other search machines is something good, but is this what the user is actually looking for? In most cases, probably yes, but this will change soon.

For example: I needed a Firefox addon today for taking sreenshots for one of my projects. Of course I wrote “addon screenshot” into Google and of course it returns all SEO-ized results for …Chrome, not seeing that I am using Firefox and most probably I don’t need results for Chrome

I think search machines must be smarter than that. I don’t want to see results that others, SEO ninjas for example, want me to see. I want the results that will give me the answer I am looking for. I don’t have time to scroll and browse.

This opens another story, about privacy and about giving the companies your preferences, but I do think this can be done in a way to make everybody happy.

What say you?

No, Facebook, I don’t want my 5$ back, but I want something from you.

Via different channels I got the same question :

Did you get your 5 dollars back?

It’s not a secret, that I got this question as well:

Did you really delete the data as requested? Can you sell it to me … /can you share it with me?/

Well the truth is, I don’t want my 5$ back, especially not from Facebook.

And yes, I deleted the data…but maybe, just maybe I’ve deleted the data the same way Facebook deletes users’ data when he/she wants to delete his/her account…

What do I want?

[box color=”red”]

I want Facebook to start removing entire user data after pressing “Delete my account”. Is this so much to ask. This is fair, isn’t it? Can we achieve that as a community?

[/box]