Threat Modeling: Designing for Security (Wiley, 2014)
The only security book to be chosen as a Dr. Dobbs Jolt Award Finalist since Bruce Schneier's Secrets and Lies and Applied Cryptography! Adam Shostack is responsible for security development lifecycle threat modeling at Microsoft and is one of a handful of threat modeling experts in the world. Now, he is sharing his considerable expertise into this unique book. With pages of specific actionable advice, he details how to build better security into the design of systems, software, or services from the outset. You'll explore various threat modeling approaches, find out how to test your designs against threats, and learn effective ways to address threats that have been validated at Microsoft and other top companies. Systems security managers, you'll find tools and a framework for structured thinking about what can go wrong. Software developers, you'll appreciate the jargon-free and accessible introduction to this essential skill. Security professionals, you'll learn to discern changing threats and discover the easiest ways to adopt a structured approach to threat modeling. Provides a unique how-to for security and software developers who need to design secure products and systems and test their designs Explains how to threat model and explores various threat modeling approaches, such as asset-centric, attacker-centric and software-centric Provides effective approaches and techniques that have been proven at Microsoft and elsewhere Offers actionable how-to advice not tied to any specific software, operating system, or programming language Authored by a Microsoft professional who is one of the most prominent threat modeling experts in the world As more software is delivered on the Internet or operates on Internet-connected devices, the design of secure software is absolutely critical. Make sure you're ready with Threat Modeling: Designing for Security.
Threat Modeling Designing for Security Adam shostack WILEY dd12:57:18:PM01/17/2014P Threat Modeling: Designing for Security Published by John wiley Sons, Inc 10475 Crosspoint BoulevardIndianapolis, IN 46256 wiley.co Copyright o 2014 by Adam Shostack Published by John Wiley Sons, Inc, Indianapolis, Indiana Published simultaneously in Canada ISBN:978-1-118-80999-0 ISBN:978-1-118-82269-2(ebk) ISBN:978-1-118-810057(ebk) Manufactured in the United States of america 10987654321 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or y any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978)750-8400, fax (978)646-8600 Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley Sons, Inc 111RiverStreet,Hoboken,Nj07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley com/go/permissions Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation P tion does not that the author or the publishe the information the organization or website may prov ide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read For general information on our other products and services please contact our Customer Care Department within the United States at(877)762-2974, outside the United States at(317)572-3993 or fax(317)572-4002 Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not beincluded in e-books or in print-on-demand. If this book efers to media such as a CD or dvd that is not included in the version you purchased, you may download thismaterialathttp://booksupport.wileycomFormoreinformationaboutWileyproducts Library of Congress Control Number: 2013954095 Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley Sons, Inc and/orits affiliates, in the United States and other countries, and may not be used without written permission All other trademarks are the property of their respective owners. John Wiley Sons, Inc is not associated with any product or vendor mentioned in this be For all those striving to deliver more secure systems ffirs indd 12: 57: 18: PM 01/17/2014 Page iii Credits Executive editor Business Manager C arol long amy Knies Project Editors Vice President and Executive Victoria swider Group Publisher Tom Dinse Richard wadley Technical Editor Associate Publisher Chris wysopal Jim mintel Production Editor Project Coordinator, Cover Christine mugnolo Todd Klemme Copy Editor Technical Proofreader Luann rouff Russ mcree Editorial manager Proofreader Mary beth Wakefield Nancy carrasco Freelancer Editorial Manager Indexer Rosemarie graham Robert Swanson Associate Director of Marketing Cover Image David mayhew Courtesy of microsoft Marketing Manager Cover designer Ashley zurcher Wile ffirs indd 12: 57: 18: PM 01/17/2014 Page iv About the author Adam Shostack is currently a program manager at Microsoft His security roles there have included security development processes, usable security, and attack modeling. His attack- modeling work led to security updates for Autorun being delivered to hundreds of millions of computers. He shipped he sdl Threat Modeling Tool and the Elevation of privilege threat modeling game. While doing security development process work, he delivered threat modeling training across Microsoft and its partners and customers Prior to microsoft, he has been an executive at a number of successful information security and privacy startups. He helped found the Cve, the Privacy enhancing technologies symposium and the International financial Cryptography Association. He has been a consultant to banks, hospitals and startups and established software companies. For the first several years of his career, he was a systems manager for a medical research lab. Shostack is a prolific author, blogger, and public speaker. With Andrew Stewart, he co-authored The New School of Information Security(Addison-Wesley, 2008) ffirs indd 12: 57: 18: PM 01/17/2014 Page v About the technical editor Chris Wysopal, Veracode's CTO and Co-Founder, is responsible for the company's software security analysis capabilities. In 2008 he was named one of InfoWorld's Top 25 CTOs and one of the 100 most influential people in ITby eWeek. One of the original vulnerability researchers and a member of Lopht Heavy Industries, he has testified on Capitol Hill in the Us on the subjects of government computer security and how vulnerabilities are discovered in software. He is an author of LOpht Crack and netcat for Windows. He is the lead author of The Art of Software Security Testing(Addison-Wesley, 2006) ffirs indd 12: 57: 18: PM 01/17/2014 Page vi Acknowledgments First and foremost, I'd like to thank countless engineers at Microsoft and else where who have given me feedback about their experiences threat modeling. I wouldnt have had the opportunity to have so many open and direct conversa tions without the support of Eric Bidstrup and Steve Lipner, who on my first day at microsoft told me to go wallow in the problem for a while,I dont think either expected"a while"to be quite so long. Nearly eight years later with countless deliverables along the way, this book is my most complete answer to the question they asked me: How can we get better threat models? Ellen cram Kowalczyk helped me make the book a reality in the microsoft context, gave great feedback on both details and aspects that were missing, and also provided a lot of the history of threat modeling from the first security pushes through the formation of the SDl, and she was a great manager and mentor Ellen and Steve Lipner were also invaluable in helping me obtain permission to use Microsoft documents The Elevation of privilege game that opens this book owes much to Jacqueline Beauchere, who saw promise in an ugly prototype called Threat Spades, " and invested in making it beautiful and widely available The sdl Threat Modeling tool might not exist if Chris Peterson hadnt given me a chance to build a threat modeling tool for the windows team to use. Ivan Medvedev, Patrick McCuller, Meng Li, and Larry Osterman built the first version of that tool. Id like to thank the many engineers in Windows, and later across Microsoft, who provided bug reports and suggestions for improvements in the beta days, and acknowledge all those who just flamed at us, reminding us of the importance of getting threat modeling right. Without that tool, my experience and breadth in threat modeling would be far poorer arry Osterman, Douglas Maclver, Eric Douglas, Michael Howard, and bob Fruth gave me hours of their time and experience in understanding threat ffirs indd 12: 57: 18: PM 01/17/2014 Page vii viii Acknowledgments modeling at Microsoft. Window Snyder's perspective as I started the Microsoft ob has been invaluable over the years. Knowing when you're done... well this book is nearly done Rob reeder was a great guide to the field of usable security, and Chapter 15 would look very different if not for our years of collaboration. I cant discuss usable security without thanking Lorrie Cranor for her help on that topic; but also for the chance to keynote the Symposium on usable Privacy and Security which led me to think about usable engineering advice, a perspective that is now suffused throughout this book Andy Stiengrubel, Don Ankney, and Russ mcree all taught me important lessons related to operational threat modeling, and how the trade-offs change as you change context. Guys, thank you for beating on me-those lessons now permeate many chapters. Alec Yasinac, Harold Pardue, and Jeff Landry were generous with their time discussing their attack tree experience, and Chapters 4 and 17 are better for those conversations. Joseph lorenzo hall was also a gem in helping with attack trees. Wendy Nather argued strongly that assets and attackers are great ways to make threats real, and thus help overcome resistance to fixing them rob Sama checked the acme financials example from a Cpas perspective, correcting many of my errors. Dave Awksmith graciously allowed me to include his threat personas as a complete appendix. Jason Nehrboss gave me some of the best feedback I've ever received on very early chapters I'd also like to acknowledge Jacob Appelbaum, Crispin Cowan, Dana Epp(for years of help, on both the book and tools), Jeremi Gosney, Yoshi Kohno, David LeBlanc, marsh ray, Nick Mathewson, Tamara McBride, Russ Mcree, Talhah Mir, David Mortman, Alec Muffet, Ben Rothke, Andrew Stewart, and bryan Sullivan for helpful feedback on drafts and/ or ideas that made it into the book In a wide variety of ways Q. Of course, none of those acknowledged in this section are responsible for the rors which doubtless crept in or remain Writing this book by myself"(an odd phrase given everyone Im acknowl- edging) makes me miss working with Andrew Stewart, my partner in writing on The New School of information Security. Especially since people sometime attribute that book to me, I want to be public about how much I missed his collaboration in this project This book wouldnt be in the form it is were it not for bruce schneier's will ingness to make an introduction to Carol Long, and Carols willingness to pick up the book. It wasn't always easy to read the feedback and suggested changes from my excellent project editor, Victoria Swider, but this thing is better where l did. Tom Dinse stepped in as the project ended and masterfully took control of a rery large number of open tasks bringing them to resolution on a tight schedule Lastly, and most importantly, thank you to Terri, for all your help, support, and love, and for putting up with"it's almost done" for a very very long time -Adam shostack ffirs indd 12: 57: 18: PM 01/17/2014 Page viii
Threat Modeling: Designing for Security2014-03-10
Adam Shostack is responsible for security development lifecycle threat modeling at Microsoft and is one of a handful of threat modeling experts in the world. Now, he is sharing his considerable expertise into this unique book. With pages of specific actionable advice, he details how to build better
Risk Centric Threat Modeling(Wiley,2015)2015-11-09
Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis is a resource for software developers, architects, technical risk managers, and seasoned security professionals.
Microsoft Threat Modeling Tool2020-05-15
Microsoft Threat Modeling Tool 微软威胁建模工具安装器，下载后会自动安装最新版本的Microsoft Threat Modeling Tool
Cyber-All-Intel：An AI for Security related Threat Intelligence.pdf2019-08-09
It is a system for knowledge extraction, representation and analytics in an end-toend pipeline grounded in the cybersecurity informatics domain. It uses multiple knowledge representations like, ...
Threat modeling(DFD) visio stencil2011-02-15
Threat modeling(DFD) visio stencil
Core Software Security: Security at the Source2016-02-01
Threat Modeling/Architecture Security Analysis Threat Modeling Data Flow Diagrams Architectural Threat Analysis and Ranking of Threats Risk Mitigation Open-Source Selection Privacy Information...
A Hardware Threat Modeling Concept for Trustable Integrated Circuits2011-04-22
Similar to the effects of software viruses, hardware can also be compromised by introduction of malicious logic into circuits to cause unwanted system behaviors. This can be done by changing or adding...
Enterprise Cybersecurity empowers organizations of all sizes to defend themselves with next-generation cybersecurity programs against the escalating threat of modern targeted cyberattacks. This book ...
2019 Internet Security Threat Report.pdf.pdf2019-06-18
赛门铁克：2019 年《互联网安全威胁报告》(第24期) 在赛门铁克《互联网安全威胁报告》中，对全球威胁活动、网络犯罪趋势和攻击者动机进行了深入剖析，提出了自己的最新见解。其中，分析数据来自全球最大的民用威胁...
Linux Essentials for Cybersecurity2019-01-12
Linux Essentials for Cybersecurity (Pearson IT Cybersecurity Curriculum (ITCC)) By 作者: William Rothwell – Denise Kinsey ISBN-10 书号: 0789759357 ISBN-13 书号: 9780789759351 Edition 版本: 1 出版...
Advanced Persistent Threat Hacking The Art and Science of Hacking Any 无水印pdf2017-10-18
Advanced Persistent Threat Hacking The Art and Science of Hacking Any Organization 英文无水印pdf pdf所有页面使用FoxitReader和PDF-XChangeViewer测试都可以打开 本资源转载自网络，如有侵权，请联系上传...
Predicting Malicious Behavior2014-03-12
Illustrates ways to understand malicious intent, dissect behavior, and apply the available tools and methods for enhancing security Covers the methodology for predicting malicious behavior, how to ...
论文研究-Analyzing Security Issues in Peer-to-Peer Networks with Threat Modeling.pdf2019-08-15
Secure Java: For Web Application Development2010-11-26
Encapsulating security requirements for web development with the Java programming platform, Secure Java: For Web Application Development covers secure programming, risk assessment, and threat modeling...
He has more than fifteen years' experience in a range of high-profile security and communications roles, including as a close protection operative at London's 2012 Olympics and in Russia for the 2014 ...
Security Threat Mitigation and Response Understanding Cisco Security MARS2013-06-18
Security Threat Mitigation and Response Understanding Cisco Security MARS (现任明教教主批注版).pdf 这个看了下是英文电子书，批注版但没看到中文批注！
Cisco Press：Security Threat Mitigation and Response.chm2009-07-11
Cisco - Security Threat Mitigation and Response.chm