(Earlier today I was asked "What are the most compelling use cases for TeamMentor" and here is my answer:)

There are a couple of pages in Security Innovation's website that cover some of the common use cases: see here  and here

I think the main use-case is in 'answering Developers/Testers questions'

I like to think of the workflow as in "Don't copy and paste from Google, copy and paste from TeamMentor"

For example take a look at the .NET 4.0 library; if you filter by 'Code Example'

you will see a number of very specific and detailed articles

For example:

  • Encrypt ViewState
  • Encrypt And Sign a Cookie
  • Use Parameterized Queries for Secure Database Access 
  • Perform XML Schema Validation of a Web Service Payload

As another example, let's say that you wanted to look at some Security Guidelines

These are more 'high level' articles which tend to cover 'best practices' (btw, note how most of the articles are structured in a 'Why, When, How' structure:

  • Do Not Rely on Client-side Validation 
  • Encrypt All Sensitive Data 
  • Assign a New Session ID on Reauthentication 

Another good example is 'How to Test ASP.NET apps' which is also an area that we have a number of specific articles:

For example:

  • How to Test for Race Condition Vulnerabilities 
  • How to Test for Deserialization of Untrusted Data Vulnerabilities
  • How to Test for Double Encoding Vulnerabilities 

Finally, if you are looking for something specific (lets say articles on 'Threat Modeling') you can search for it:

Where you will find a number of nice articles such as:

  • Threat Models Are Created 
  • Security Activities Are Integrated into the Development Lifecycle 
  • Create a Threat Model (this is a big one)
  • Perform a Security Code Review (another big one)

In terms of making the content easier to consume, you can also create links to what we call 'Direct Reading views' which are basically a number of TM articles that exist on a specific view (or filter). For example opening an article will look like this (note that there is no library tree or filters):

The core idea is that instead of sending long emails or massive word docs to developers/testers (when they ask 'How do I do XYZ'), we just send TM links.

The extra added value that happens on customer's TM instances, is that  the content can be edited/customized (online via authorized users) where custom content (for that company/product/application) is created (from scratch or based on existing articles). This goes back to the "Don't copy and paste from Google, copy and paste from TeamMentor" idea where developers are able to have access to very targeted and relevant guidance for the application they are working on.

Note: a number of TM articles in TM were based on the original content published by 'Microsoft patterns & practices guidance'  (where SI was involved in the creation of that content, and MS allowed SI to use it as long as the source material was credited). All other libraries (Java, PHP, iOS, etc..) are made of content created by SI SMEs

Did this answered your question?

Does it make sense to use TM this way?

Get the Newsletter

Every two weeks we'll send you our latest articles along with usable insights into the state of software security.

Posts by Topic

View Full Topic List