The only security book to be chosen as a Dr. Dobbs Jolt Award Finalist since Bruce Schneier's Secrets and Lies and Applied Cryptography!
Adam Shostack is responsible for security development lifecycle threat modeling at Microsoft and is one of a handful of threat modeling experts in the world. Now, he is sharing his considerable expertise into this unique book. With pages of specific actionable advice, he details how to build better security into the design of systems, software, or services from the outset. You'll explore various threat modeling approaches, find out how to test your designs against threats, and learn effective ways to address threats that have been validated at Microsoft and other top companies.
Systems security managers, you'll find tools and a framework for structured thinking about what can go wrong. Software developers, you'll appreciate the jargon-free and accessible introduction to this essential skill. Security professionals, you'll learn to discern changing threats and discover the easiest ways to adopt a structured approach to threat modeling.
Provides a unique how-to for security and software developers who need to design secure products and systems and test their designs
Explains how to threat model and explores various threat modeling approaches, such as asset-centric, attacker-centric and software-centric
Provides effective approaches and techniques that have been proven at Microsoft and elsewhere
Offers actionable how-to advice not tied to any specific software, operating system, or programming language
Authored by a Microsoft professional who is one of the most prominent threat modeling experts in the world
As more software is delivered on the Internet or operates on Internet-connected devices, the design of secure software is absolutely critical. Make sure you're ready with Threat Modeling: Designing for Security.
Introduction xxi
Part I Getting Started 1
Chapter 1 Dive In and Threat Model! 3
Learning to Threat Model 4
Threat Modeling on Your Own 26
Checklists for Diving In and Threat Modeling 27
Summary 28
Chapter 2 Strategies for Threat Modeling 29
"What's Your Threat Model?" 30
Brainstorming Your Threats 31
Structured Approaches to Threat Modeling 34
Models of Software 43
Summary 56
Part II Finding Threats 59
Chapter 3 STRIDE 61
Understanding STRIDE and Why It's Useful 62
Spoofing Threats 64
Tampering Threats 67
Repudiation Threats 68
Information Disclosure Threats 70
Denial-of-Service Threats 72
Elevation of Privilege Threats 73
Extended Example: STRIDE Threats against Acme-DB 74
STRIDE Variants 78
Exit Criteria 85
Summary 85
Chapter 4 Attack Trees 87
Working with Attack Trees 87
Representing a Tree 91
Example Attack Tree 94
Real Attack Trees 96
Perspective on Attack Trees 98
Summary 100
Chapter 5 Attack Libraries 101
Properties of Attack Libraries 101
CAPEC 104
OWASP Top Ten 108
Summary 108
Chapter 6 Privacy Tools 111
Solove's Taxonomy of Privacy 112
Privacy Considerations for Internet Protocols 114
Privacy Impact Assessments (PIA) 114
The Nymity Slider and the Privacy Ratchet 115
Contextual Integrity 117
LINDDUN 120
Summary 121
Part III Managing and Addressing Threats 123
Chapter 7 Processing and Managing Threats 125
Starting the Threat Modeling Project 126
Digging Deeper into Mitigations 130
Tracking with Tables and Lists 133
Scenario-Specifi c Elements of Threat Modeling 138
Summary 143
Chapter 8 Defensive Tactics and Technologies 145
Tactics and Technologies for Mitigating Threats 145
Addressing Threats with Patterns 159
Mitigating Privacy Threats 160
Summary 164
Chapter 9 Trade-Off s When Addressing Threats 167
Classic Strategies for Risk Management 168
Selecting Mitigations for Risk Management 170
Threat-Specific Prioritization Approaches 178
Mitigation via Risk Acceptance 184
Arms Races in Mitigation Strategies 185
Summary 186
Chapter 10 Validating That Threats Are Addressed 189
Testing Threat Mitigations 190
Checking Code You Acquire 192
QA'ing Threat Modeling 195
Process Aspects of Addressing Threats 197
Tables and Lists 198
Summary 202
Chapter 11 Threat Modeling Tools 203
Generally Useful Tools 204
Open-Source Tools 206
Commercial Tools 208
Tools That Don't Exist Yet 213
Summary 213
Part IV Threat Modeling in Technologies and Tricky Areas 215
Chapter 12 Requirements Cookbook 217
Why a "Cookbook"? 218
The Interplay of Requirements, Threats, and Mitigations 219
Business Requirements 220
Prevent/Detect/Respond as a Frame for Requirements 221
People/Process/Technology as a Frame for Requirements 227
Development Requirements vs. Acquisition Requirements 228
Compliance-Driven Requirements 229
Privacy Requirements 231
The STRIDE Requirements 234
Non-Requirements 240
Summary 242
Chapter 13 Web and Cloud Threats 243
Web Threats 243
Cloud Tenant Threats 246
Cloud Provider Threats 249
Mobile Threats 250
Summary 251
Chapter 14 Accounts and Identity 253
Account Life Cycles 254
Authentication 259
Account Recovery 271
Names, IDs, and SSNs 282
Summary 290
Chapter 15 Human Factors and Usability 293
Models of People 294
Models of Software Scenarios 304
Threat Elicitation Techniques 311
Tools and Techniques for Addressing Human Factors 316
User Interface Tools and Techniques 322
Testing for Human Factors 327
Perspective on Usability and Ceremonies 329
Summary 331
Chapter 16 Threats to Cryptosystems 333
Cryptographic Primitives 334
Classic Threat Actors 341
Attacks against Cryptosystems 342
Building with Crypto 346
Things to Remember about Crypto 348
Secret Systems: Kerckhoffs and His Principles 349
Summary 351
Part V Taking It to the Next Level 353
Chapter 17 Bringing Threat Modeling to Your Organization 355
How To Introduce Threat Modeling 356
Who Does What? 359
Threat Modeling within a Development Life Cycle 367
Overcoming Objections to Threat Modeling 379
Summary 383
Chapter 18 Experimental Approaches 385
Looking in the Seams 386
Operational Threat Models 387
The "Broad Street" Taxonomy 392
Adversarial Machine Learning 398
Threat Modeling a Business 399
Threats to Threat Modeling Approaches 400
How to Experiment 404
Summary 405
Chapter 19 Architecting for Success 407
Understanding Flow 407
Knowing the Participants 413
Boundary Objects 414
The Best Is the Enemy of the Good 415
Closing Perspectives 416
Summary 419
Now Threat Model 420
Appendix A Helpful Tools 421
Common Answers to "What's Your Threat Model?" 421
Appendix B Threat Trees 429
STRIDE Threat Trees 430
Other Threat Trees 470
Appendix C Attacker Lists 477
Attacker Lists 478
Appendix D Elevation of Privilege: The Cards 501
Spoofing 501
Tampering 503
Repudiation 504
Information Disclosure 506
Denial of Service 507
Elevation of Privilege (EoP) 508
Appendix E Case Studies 511
The Acme Database 512
Acme's Operational Network 519
Phones and One-Time Token Authenticators 525
Sample for You to Model 528
Glossary 533
Bibliography 543
Index 567
