Threat Modeling

...but Frank was a heck of alot smarter than me in high school, so I'm sure everything in there is right. -David Wedeberg

The book is short at only a 169 pages but it could be shorter. My biggest complaint with this book is that it's incredibly redundant. The first two chapters are spent discussing why threat modeling is important. It is a valid point, as many people may be wondering why threat modeling is important or even what it is. Two chapters may be a little extensive, though, and constantly repeat the same ideas. Page 13 of the introduction does make a statement that might help in avoiding much of this redundancy: "Development team members who want to skim this book for an overview should look at Chapter 2, which describes the overall threat modeling process. Chapters 3 and 5 will also be valuable to those looking for shortcuts because they describe entry points, assets, and the threat profile. Chapter 4 describes bounding the threat modeling discussion. The rest of the chapters, which flesh out the threat modeling process, will be most important for a project's security process manager." I, of course, read the whole thing. So, some redundancy is warranted, since this book itself implies that it is a sort of reference book. But even consecutive sections within the aforementioned chapters repeat the same statements. There is a difference between driving a point home and driving your reader crazy. I would also add that - if you are going to use the book as a reference - you take a look at Part 4 - appendices A, B, and C - which are entire threat model documents for the three example features used throughout the book. This book is a good book for anyone in software design and development to understand how to write secure software. Every entry and exit point is a threat, and unmitigated threats are vulnerabilities. Feature- and program-level threat modeling can help to mitigate those threats by identifying use cases and non-use cases for those entry points, roles accessing those entry points, threats associated with those entry points using the STRIDE classification (Spoofing, Tampering, Repudiation, Denial of service, and Elevation of privilege), the risk a threat poses using a DREAD rank (Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability), and internal and external notes about the threats. The book also points out that a threat model document is a living document, meaning that it should be kept current as the design of the feature or program changes. -- Excerpt copied from my blog.

I know of Frank and Window by reputation, and was excited to see they finally put some of their ideas to paper. Threat Modeling really identifies threats I need to understand as a systems administrator and software developer. I have applied some of their ideas into our company's development processes, and have already seen tremendous success. I urge anyone with even an interest in security to buy this book!

Threat modeling is in theory really simple and there are a lot of good texts and papers describing different ways to present the threat model once it is there. How to get that information from a planned or current application is often not described but rather it seams that it is supposed to pop up from nowhere in some ad-hoc way, which makes you wounder if those authors have ever tried to do a threat model on a larger app than Hello World. This book separates itself from the others by not only describing a way to present the model but also processes to get that vital information. You can really tell that these two guys has done a lot of threat modeling (and not only in theory).