♫ Good Morning To All ♫
Today marks the end of this little blog's first orbit around the sun. It was born shortly after my manager showed me this MSDN article, titled Security Briefs: A Conversation About Threat Modeling:
Written as a play, the piece is actually an "amalgam" of various computer security related conversations that its author Michael Howard, one of Microsoft's Principal Security Program Managers, has had with (non security specialist) software developers over many years.
The article struck me as interesting, easy on the eye and brain, even a little amusing. We agreed it might be possible to use such a light hearted approach to help and encourage the introduction of the subject of computer security into everyday conversation at work. Or if you'll forgive a brief overstatement: to use humour as a tool, to introduce Microsoft's Security Development Lifecycle (SDL) into our company, by the medium of blog.
Taking a cue from Raymond Chen's pattern of alternating technical and more personal, nontechnical items, my initial target was to produce about 8 articles in total each month, half of these technical, and half not. Further, the technical ones would be split into half security-related, and half not. Well, one year later I can honestly say that I've continued to hit this target reliably every month. That's a total of eleven months, including the 62-day annual marathon that is Decembuary...
Every article is written for an audience of one. The security stories are for my manager: my first, and still my most faithful, RSS subscriber. By extension, they're also intended for colleagues in Development and related areas. The remaining technical articles might be the result of a particular question or conversation I've had with someone, and that person becomes the perceived audience. Finally, the nontechnical stuff, being literally whatever is on my mind at any given moment, has an intended readership that is effectively random.
Has the experiment succeeded? Well, I do get comments about certain articles, and frequently enough to encourage me to keep going; but to be honest, the technical items appear to get least attention, and the security related items, least of all. Still, that suggests that if nothing else, some colleagues are being drawn to read the blog in the first place, and so are perhaps being brought a little closer to those security related stories than they might otherwise have been. And in any case, it is still an ongoing experiment...
Also, some work has been done towards consolidating a set of security coding standards, guidelines, best practices and related patterns, together with proposals for threat modelling, all based on the introduction of a Security Development Lifecycle into our company. These deliverables have come out of the research required for past, security-related blog articles, so in that sense, the experiment might be regarded as successful; at least, once these proposals are in a form suitable for internal publication.
And that's really all there is to say about that. In closing, here's an appropriately nostalgic link to the original, introductory article: