The only security book to be chosen as a Dr. Dobbs Jolt Award Finalist since Bruce Schneier's Secrets and Lies and Applied Cryptography! Adam Shostack is responsible for security development lifecycle threat modeling at Microsoft and is one of a handful of threat modeling experts in the world. Now, he is sharing his considerable expertise into this unique book. With pages of specific actionable advice, he details how to build better security into the design of systems, software, or services from the outset. You'll explore various threat modeling approaches, find out how to test your designs against threats, and learn effective ways to address threats that have been validated at Microsoft and other top companies. Systems security managers, you'll find tools and a framework for structured thinking about what can go wrong. Software developers, you'll appreciate the jargon-free and accessible introduction to this essential skill. Security professionals, you'll learn to discern changing threats and discover the easiest ways to adopt a structured approach to threat modeling. Provides a unique how-to for security and software developers who need to design secure products and systems and test their designs Explains how to threat model and explores various threat modeling approaches, such as asset-centric, attacker-centric and software-centric Provides effective approaches and techniques that have been proven at Microsoft and elsewhere Offers actionable how-to advice not tied to any specific software, operating system, or programming language Authored by a Microsoft professional who is one of the most prominent threat modeling experts in the world As more software is delivered on the Internet or operates on Internet-connected devices, the design of secure software is absolutely critical. Make sure you're ready with Threat Modeling: Designing for Security.

Table of Contents:
Introduction xxi Part I Getting Started 1 Chapter 1 Dive In and Threat Model! 3 Learning to Threat Model 4 Threat Modeling on Your Own 26 Checklists for Diving In and Threat Modeling 27 Summary 28 Chapter 2 Strategies for Threat Modeling 29 “What’s Your Threat Model?” 30 Brainstorming Your Threats 31 Structured Approaches to Threat Modeling 34 Models of Software 43 Summary 56 Part II Finding Threats 59 Chapter 3 STRIDE 61 Understanding STRIDE and Why It’s Useful 62 Spoofing Threats 64 Tampering Threats 67 Repudiation Threats 68 Information Disclosure Threats 70 Denial-of-Service Threats 72 Elevation of Privilege Threats 73 Extended Example: STRIDE Threats against Acme-DB 74 STRIDE Variants 78 Exit Criteria 85 Summary 85 Chapter 4 Attack Trees 87 Working with Attack Trees 87 Representing a Tree 91 Example Attack Tree 94 Real Attack Trees 96 Perspective on Attack Trees 98 Summary 100 Chapter 5 Attack Libraries 101 Properties of Attack Libraries 101 CAPEC 104 OWASP Top Ten 108 Summary 108 Chapter 6 Privacy Tools 111 Solove’s Taxonomy of Privacy 112 Privacy Considerations for Internet Protocols 114 Privacy Impact Assessments (PIA) 114 The Nymity Slider and the Privacy Ratchet 115 Contextual Integrity 117 LINDDUN 120 Summary 121 Part III Managing and Addressing Threats 123 Chapter 7 Processing and Managing Threats 125 Starting the Threat Modeling Project 126 Digging Deeper into Mitigations 130 Tracking with Tables and Lists 133 Scenario-Specifi c Elements of Threat Modeling 138 Summary 143 Chapter 8 Defensive Tactics and Technologies 145 Tactics and Technologies for Mitigating Threats 145 Addressing Threats with Patterns 159 Mitigating Privacy Threats 160 Summary 164 Chapter 9 Trade-Off s When Addressing Threats 167 Classic Strategies for Risk Management 168 Selecting Mitigations for Risk Management 170 Threat-Specific Prioritization Approaches 178 Mitigation via Risk Acceptance 184 Arms Races in Mitigation Strategies 185 Summary 186 Chapter 10 Validating That Threats Are Addressed 189 Testing Threat Mitigations 190 Checking Code You Acquire 192 QA’ing Threat Modeling 195 Process Aspects of Addressing Threats 197 Tables and Lists 198 Summary 202 Chapter 11 Threat Modeling Tools 203 Generally Useful Tools 204 Open-Source Tools 206 Commercial Tools 208 Tools That Don’t Exist Yet 213 Summary 213 Part IV Threat Modeling in Technologies and Tricky Areas 215 Chapter 12 Requirements Cookbook 217 Why a “Cookbook”? 218 The Interplay of Requirements, Threats, and Mitigations 219 Business Requirements 220 Prevent/Detect/Respond as a Frame for Requirements 221 People/Process/Technology as a Frame for Requirements 227 Development Requirements vs. Acquisition Requirements 228 Compliance-Driven Requirements 229 Privacy Requirements 231 The STRIDE Requirements 234 Non-Requirements 240 Summary 242 Chapter 13 Web and Cloud Threats 243 Web Threats 243 Cloud Tenant Threats 246 Cloud Provider Threats 249 Mobile Threats 250 Summary 251 Chapter 14 Accounts and Identity 253 Account Life Cycles 254 Authentication 259 Account Recovery 271 Names, IDs, and SSNs 282 Summary 290 Chapter 15 Human Factors and Usability 293 Models of People 294 Models of Software Scenarios 304 Threat Elicitation Techniques 311 Tools and Techniques for Addressing Human Factors 316 User Interface Tools and Techniques 322 Testing for Human Factors 327 Perspective on Usability and Ceremonies 329 Summary 331 Chapter 16 Threats to Cryptosystems 333 Cryptographic Primitives 334 Classic Threat Actors 341 Attacks against Cryptosystems 342 Building with Crypto 346 Things to Remember about Crypto 348 Secret Systems: Kerckhoffs and His Principles 349 Summary 351 Part V Taking It to the Next Level 353 Chapter 17 Bringing Threat Modeling to Your Organization 355 How To Introduce Threat Modeling 356 Who Does What? 359 Threat Modeling within a Development Life Cycle 367 Overcoming Objections to Threat Modeling 379 Summary 383 Chapter 18 Experimental Approaches 385 Looking in the Seams 386 Operational Threat Models 387 The “Broad Street” Taxonomy 392 Adversarial Machine Learning 398 Threat Modeling a Business 399 Threats to Threat Modeling Approaches 400 How to Experiment 404 Summary 405 Chapter 19 Architecting for Success 407 Understanding Flow 407 Knowing the Participants 413 Boundary Objects 414 The Best Is the Enemy of the Good 415 Closing Perspectives 416 Summary 419 Now Threat Model 420 Appendix A Helpful Tools 421 Common Answers to “What’s Your Threat Model?” 421 Appendix B Threat Trees 429 STRIDE Threat Trees 430 Other Threat Trees 470 Appendix C Attacker Lists 477 Attacker Lists 478 Appendix D Elevation of Privilege: The Cards 501 Spoofing 501 Tampering 503 Repudiation 504 Information Disclosure 506 Denial of Service 507 Elevation of Privilege (EoP) 508 Appendix E Case Studies 511 The Acme Database 512 Acme’s Operational Network 519 Phones and One-Time Token Authenticators 525 Sample for You to Model 528 Glossary 533 Bibliography 543 Index 567