Threat Modeling: Designing for Security 1st Edition

The Bible for Information Security Threat ModelingI have been an Information Security professional for over 20 years. Threat Modeling has been an elusive goal for a large portion of my career. Having the ability to analyze a proposal, architecture, or existing system is expected from a senior level professional. Unfortunately, too many of us covet the unrealistic ability to quickly perform a thorough, accurate analysis “on the fly”; impressing everyone around us. This is a horrible trait to have, but it is all over the place.The threat modeling approach addresses this problem by providing a frameworks that take some of the guesswork out of the equation. Adam Shostack captures the popular methods within this book and touches on some of the pros and cons of each method. In my opinion, Adam places an appropriate amount of focus on the STRIDE threat modeling method, as it is the most well documented approach in the industry. However, he does not slack on explaining alternate methods like LINDDUN and its relationship to data privacy threats. The author also introduces the reader to some of the tools that are on the market or are made available via open source.Most importantly, Adam highlights the importance of working with the various stakeholders within an organization to create a threat model. This cast could include but is not limited to, project managers, system administrators, database administrators, network engineers, and information security resources with the point being that threat modeling is not just something that someone with a CISSP can pull out of the air based on shear brilliance, it’s a product of several subject matter experts.This is the best resource on the market on the subject of security threat modeling.Court Graham, CISSP, OSCP, CEH, ITIL, PCIP

Just finished reading "Threat Modeling: Designing for Security," and it’s a must-have for anyone in the field! It breaks down complex security concepts into understandable chunks, making it perfect for both beginners and experts. The strategies and insights provided are invaluable for designing impenetrable systems. It’s like having a security expert guiding you through every step of the process. This book is a treasure trove of knowledge that’ll elevate your security game to the next level!

From the first chapter I was applying the principles to my job. Adam's examples are easy to follow and get the point across well. I like the EoP game concept and will introduce that at the office when I have a better grasp of the material. It was well worth the price. It gets 4 stars instead of 5 because the editor missed some misspelled words and sequences (like when defining the STRIDE acronym they put the D in front of the I definition...) little stuff that doesn't take away from the content but for us OCD folks can be a minor distraction. I recommend.

Adam's Threat Modeling: Designing for Security is a must and required reading for security practitioners. Threat modeling should become standard practice within security programs and Adam's approachable narrative on how to implement threat modeling resonates loud and clear. Threat Modeling: Designing for Security combines both technical detail with pragmatic and actionable advice as to how you can implement threat modeling within your security program. Threat modeling increases assurance and offers a standard and structured way to answer "just how secure is this application or infrastructure?" Having defined attributes that need to be addressed as part of the security review ensures that security weaknesses don't fall through the proverbial cracks. Bottom line, CISOs would be well-served adding threat modeling to their team's required skills. Fantastic book!

I purchased this book to get some new tricks and perspectives to add to my existing threat modelling program. I was impressed that it had not only good technical input, anecdotes and examples but also a lot of infrastructure to build a new program. There are sample diagrams, templates and organizational processes that can be used to build a program from scratch. It is a handbook and body of knowledge on the topic.It is written from the point of view of software development but the material can be adapted to other applications.There is a lot of info here. You can use the book no matter what your level of experience but you will find it an easier read if you have some experience with threat modeling.Overall the best work I have seen on the topic.

Threat modeling as a discipline was new to me. This book attempts to be a complete and detailed history of threat modeling and what works. Written by an esteemed security expert from Microsoft, it speaks to to not only security practitioners but to program managers and developers. Understanding threat modeling and creating your own threat models is made less "scary" and comes with a game. Yes, it addresses the Agile/Devops movements, so now you have 2 card games to play ("Planning Poker" aka "Scrum Poker" along with "Escalation of Privilege").Highly recommended.

not exactly ground breaking but certainly a well written and presented book on the topic. Good to have on the reference shelf.

This is THE tome to refer to for abstract threat modeling grounded in realistic examples that do not stray far from what the actual vulnerabilities and threat agents we see everyday. It is written in a way that allows you to read through it end to end, or use it as a reference to find out more information on the topics that concern you. The content really says a lot about the extensive security landscape expertise of the author.I cannot recommend this book enough.