Pick 'n' Mix Mitigations

I was just perusing the July/August 2011 IEEE Security & Privacy magazine and I came across an interesting article "Developer-Driven Threat Modeling: Lessons Learned in the Trenches" (pay-walled unless you are a member of the IEEE) by Danny Dhillon, that talks about EMC's experience implementing a threat modeling strategy in their organisation.

What I found particularly interesting was the section on how they mitigate risks that have been identified by their threat models.  From the article:

The software security field has matured
over the past decade, and a wealth of information
on how to mitigate many common issues is widely
available—but the quality and consistency of that
information varies.

And in reference to the approach EMC came up with:

The mitigation strategies include changes
that developers can make during the design phase
as well as downstream coding, documentation, and
maintenance considerations. Where appropriate, the
guidance includes sample code and references to rec-
ommended toolkits and frameworks. It also includes
alternative mitigations along with their implications
and when they should or shouldn’t be considered.

From the brief description of their approach it seems to me that it nicely complements the MMM ideas I have been espousing, which fundamentally are based on the same concerns (the immature mitigations that are readily available on the web).

They definitely do not have a "one size fits all" all approach to their mitigations, and you could almost refer to it as Pick 'n' Mix (albeit a bit flippantly).  The point is (and I'm reading between the lines here) is that they have different solutions for different situations, but solutions tailored to their needs, and the solutions are not just technical but address a range of activities from the development life-cycle.

It's good to see a company taking a well-rounded approach to their mitigation strategies, let's hope more companies can learn from them.