You are previewing Threat Modeling: Designing for Security.
O'Reilly logo
Threat Modeling: Designing for Security

Book Description

Adam Shostack is responsible for security development lifecycle threat modeling at Microsoft and is one of a handful of threat modeling experts in the world. Now, he is sharing his considerable expertise into this unique book. With pages of specific actionable advice, he details how to build better security into the design of systems, software, or services from the outset. You'll explore various threat modeling approaches, find out how to test your designs against threats, and learn effective ways to address threats that have been validated at Microsoft and other top companies.

Systems security managers, you'll find tools and a framework for structured thinking about what can go wrong. Software developers, you'll appreciate the jargon-free and accessible introduction to this essential skill. Security professionals, you'll learn to discern changing threats and discover the easiest ways to adopt a structured approach to threat modeling.

  • Provides a unique how-to for security and software developers who need to design secure products and systems and test their designs

  • Explains how to threat model and explores various threat modeling approaches, such as asset-centric, attacker-centric and software-centric

  • Provides effective approaches and techniques that have been proven at Microsoft and elsewhere

  • Offers actionable how-to advice not tied to any specific software, operating system, or programming language

  • Authored by a Microsoft professional who is one of the most prominent threat modeling experts in the world

  • As more software is delivered on the Internet or operates on Internet-connected devices, the design of secure software is absolutely critical. Make sure you're ready with Threat Modeling: Designing for Security.

    Table of Contents

    1. Cover
    2. Part I: Getting Started
      1. Chapter 1: Dive In and Threat Model!
        1. Learning to Threat Model
        2. Threat Modeling on Your Own
        3. Checklists for Diving In and Threat Modeling
        4. Summary
      2. Chapter 2: Strategies for Threat Modeling
        1. “What's Your Threat Model?”
        2. Brainstorming Your Threats
        3. Structured Approaches to Threat Modeling
        4. Models of Software
        5. Summary
    3. Part II: Finding Threats
      1. Chapter 3: STRIDE
        1. Understanding STRIDE and Why It's Useful
        2. Spoofing Threats
        3. Tampering Threats
        4. Repudiation Threats
        5. Information Disclosure Threats
        6. Denial-of-Service Threats
        7. Elevation of Privilege Threats
        8. Extended Example: STRIDE Threats against Acme-DB
        9. STRIDE Variants
        10. Exit Criteria
        11. Summary
      2. Chapter 4: Attack Trees
        1. Working with Attack Trees
        2. Representing a Tree
        3. Example Attack Tree
        4. Real Attack Trees
        5. Perspective on Attack Trees
        6. Summary
      3. Chapter 5: Attack Libraries
        1. Properties of Attack Libraries
        2. CAPEC
        3. OWASP Top Ten
        4. Summary
      4. Chapter 6: Privacy Tools
        1. Solove's Taxonomy of Privacy
        2. Privacy Considerations for Internet Protocols
        3. Privacy Impact Assessments (PIA)
        4. The Nymity Slider and the Privacy Ratchet
        5. Contextual Integrity
        6. LINDDUN
        7. Summary
    4. Part III: Managing and Addressing Threats
      1. Chapter 7: Processing and Managing Threats
        1. Starting the Threat Modeling Project
        2. Digging Deeper into Mitigations
        3. Tracking with Tables and Lists
        4. Scenario-Specific Elements of Threat Modeling
        5. Summary
      2. Chapter 8: Defensive Tactics and Technologies
        1. Tactics and Technologies for Mitigating Threats
        2. Addressing Threats with Patterns
        3. Mitigating Privacy Threats
        4. Summary
      3. Chapter 9: Trade-Offs When Addressing Threats
        1. Classic Strategies for Risk Management
        2. Selecting Mitigations for Risk Management
        3. Threat-Specific Prioritization Approaches
        4. Mitigation via Risk Acceptance
        5. Arms Races in Mitigation Strategies
        6. Summary
      4. Chapter 10: Validating That Threats Are Addressed
        1. Testing Threat Mitigations
        2. Checking Code You Acquire
        3. QA'ing Threat Modeling
        4. Process Aspects of Addressing Threats
        5. Tables and Lists
        6. Summary
      5. Chapter 11: Threat Modeling Tools
        1. Generally Useful Tools
        2. Open-Source Tools
        3. Commercial Tools
        4. Tools That Don't Exist Yet
        5. Summary
    5. Part IV: Threat Modeling in Technologies and Tricky Areas
      1. Chapter 12: Requirements Cookbook
        1. Why a “Cookbook”?
        2. The Interplay of Requirements, Threats, and Mitigations
        3. Business Requirements
        4. Prevent/Detect/Respond as a Frame for Requirements
        5. People/Process/Technology as a Frame for Requirements
        6. Development Requirements vs. Acquisition Requirements
        7. Compliance-Driven Requirements
        8. Privacy Requirements
        9. The STRIDE Requirements
        10. Non-Requirements
        11. Summary
      2. Chapter 13: Web and Cloud Threats
        1. Web Threats
        2. Cloud Tenant Threats
        3. Cloud Provider Threats
        4. Mobile Threats
        5. Summary
      3. Chapter 14: Accounts and Identity
        1. Account Life Cycles
        2. Authentication
        3. Account Recovery
        4. Names, IDs, and SSNs
        5. Summary
      4. Chapter 15: Human Factors and Usability
        1. Models of People
        2. Models of Software Scenarios
        3. Threat Elicitation Techniques
        4. Tools and Techniques for Addressing Human Factors
        5. User Interface Tools and Techniques
        6. Testing for Human Factors
        7. Perspective on Usability and Ceremonies
        8. Summary
      5. Chapter 16: Threats to Cryptosystems
        1. Cryptographic Primitives
        2. Classic Threat Actors
        3. Attacks Against Cryptosystems
        4. Building with Crypto
        5. Things to Remember About Crypto
        6. Secret Systems: Kerckhoffs and His Principles
        7. Summary
    6. Part V: Taking It to the Next Level
      1. Chapter 17: Bringing Threat Modeling to Your Organization
        1. How To Introduce Threat Modeling
        2. Who Does What?
        3. Threat Modeling within a Development Life Cycle
        4. Overcoming Objections to Threat Modeling
        5. Summary
      2. Chapter 18: Experimental Approaches
        1. Looking in the Seams
        2. Operational Threat Models
        3. The “Broad Street” Taxonomy
        4. Adversarial Machine Learning
        5. Threat Modeling a Business
        6. Threats to Threat Modeling Approaches
        7. How to Experiment
        8. Summary
      3. Chapter 19: Architecting for Success
        1. Understanding Flow
        2. Knowing the Participants
        3. Boundary Objects
        4. The Best Is the Enemy of the Good
        5. Closing Perspectives
        6. Summary
    7. Appendix A: Helpful Tools
      1. Common Answers to “What's Your Threat Model?”
      2. Assets
    8. Appendix B: Threat Trees
      1. STRIDE Threat Trees
      2. Other Threat Trees
    9. Appendix C: Attacker Lists
      1. Attacker Lists
      2. Personas and Archetypes
      3. Aucsmith's Attacker Personas
      4. Background and Definitions
      5. Personas
    10. Appendix D: <i xmlns="http://www.w3.org/1999/xhtml" xmlns:epub="http://www.idpf.org/2007/ops" xmlns:m="http://www.w3.org/1998/Math/MathML" xmlns:svg="http://www.w3.org/2000/svg" xmlns:ibooks="http://vocabulary.itunes.apple.com/rdf/ibooks/vocabulary-extensions-1.0">Elevation of Privilege</i>: The Cards: The Cards
      1. Spoofing
      2. Tampering
      3. Repudiation
      4. Information Disclosure
      5. Denial of Service
      6. Elevation of Privilege (EoP)
    11. Appendix E: Case Studies
      1. The Acme Database
      2. Acme's Operational Network
      3. Phones and One-Time Token Authenticators
      4. Sample for You to Model
    12. Glossary
    13. Bibliography
    14. Introduction
      1. What Is Threat Modeling?
      2. Reasons to Threat Model
      3. Who Should Read This book?
      4. What You Will Gain from This Book
      5. How To Use This Book
      6. New Lessons on Threat Modeling
    15. End User License Agreement