Threat Modeling - Adam Shostack - E-Book

Threat Modeling E-Book

Adam Shostack

4,4
50,99 €

oder
-100%
Sammeln Sie Punkte in unserem Gutscheinprogramm und kaufen Sie E-Books und Hörbücher mit bis zu 100% Rabatt.
Mehr erfahren.
Beschreibung

The only security book to be chosen as a Dr. Dobbs Jolt Award Finalist since Bruce Schneier's Secrets and Lies and Applied Cryptography! Adam Shostack is responsible for security development lifecycle Threat Modeling at Microsoft and is one of a handful of Threat Modeling experts in the world. Now, he is sharing his considerable expertise into this unique book. With pages of specific actionable advice, he details how to build better security into the design of systems, software, or services from the outset. You'll explore various Threat Modeling approaches, find out how to test your designs against threats, and learn effective ways to address threats that have been validated at Microsoft and other top companies. Systems security managers, you'll find tools and a framework for structured thinking about what can go wrong. Software developers, you'll appreciate the jargon-free and accessible introduction to this essential skill. Security professionals, you'll learn to discern changing threats and discover the easiest ways to adopt a structured approach to Threat Modeling. * Provides a unique how-to for security and software developers who need to design secure products and systems and test their designs * Explains how to threat model and explores various Threat Modeling approaches, such as asset-centric, attacker-centric and software-centric * Provides effective approaches and techniques that have been proven at Microsoft and elsewhere * Offers actionable how-to advice not tied to any specific software, operating system, or programming language * Authored by a Microsoft professional who is one of the most prominent Threat Modeling experts in the world As more software is delivered on the Internet or operates on Internet-connected devices, the design of secure software is absolutely critical. Make sure you're ready with Threat Modeling: Designing for Security.

Sie lesen das E-Book in den Legimi-Apps auf:

Android
iOS
von Legimi
zertifizierten E-Readern

Seitenzahl: 939

Bewertungen
4,4 (26 Bewertungen)
17
3
6
0
0
Mehr Informationen
Mehr Informationen
Legimi prüft nicht, ob Rezensionen von Nutzern stammen, die den betreffenden Titel tatsächlich gekauft oder gelesen/gehört haben. Wir entfernen aber gefälschte Rezensionen.



Table of Contents

Cover

Part I: Getting Started

Chapter 1: Dive In and Threat Model!

Learning to Threat Model

Threat Modeling on Your Own

Checklists for Diving In and Threat Modeling

Summary

Chapter 2: Strategies for Threat Modeling

“What's Your Threat Model?”

Brainstorming Your Threats

Structured Approaches to Threat Modeling

Models of Software

Summary

Part II: Finding Threats

Chapter 3: STRIDE

Understanding STRIDE and Why It's Useful

Spoofing Threats

Tampering Threats

Repudiation Threats

Information Disclosure Threats

Denial-of-Service Threats

Elevation of Privilege Threats

Extended Example: STRIDE Threats against Acme-DB

STRIDE Variants

Exit Criteria

Summary

Chapter 4: Attack Trees

Working with Attack Trees

Representing a Tree

Example Attack Tree

Real Attack Trees

Perspective on Attack Trees

Summary

Chapter 5: Attack Libraries

Properties of Attack Libraries

CAPEC

OWASP Top Ten

Summary

Chapter 6: Privacy Tools

Solove's Taxonomy of Privacy

Privacy Considerations for Internet Protocols

Privacy Impact Assessments (PIA)

The Nymity Slider and the Privacy Ratchet

Contextual Integrity

LINDDUN

Summary

Part III: Managing and Addressing Threats

Chapter 7: Processing and Managing Threats

Starting the Threat Modeling Project

Digging Deeper into Mitigations

Tracking with Tables and Lists

Scenario-Specific Elements of Threat Modeling

Summary

Chapter 8: Defensive Tactics and Technologies

Tactics and Technologies for Mitigating Threats

Addressing Threats with Patterns

Mitigating Privacy Threats

Summary

Chapter 9: Trade-Offs When Addressing Threats

Classic Strategies for Risk Management

Selecting Mitigations for Risk Management

Threat-Specific Prioritization Approaches

Mitigation via Risk Acceptance

Arms Races in Mitigation Strategies

Summary

Chapter 10: Validating That Threats Are Addressed

Testing Threat Mitigations

Checking Code You Acquire

QA'ing Threat Modeling

Process Aspects of Addressing Threats

Tables and Lists

Summary

Chapter 11: Threat Modeling Tools

Generally Useful Tools

Open-Source Tools

Commercial Tools

Tools That Don't Exist Yet

Summary

Part IV: Threat Modeling in Technologies and Tricky Areas

Chapter 12: Requirements Cookbook

Why a “Cookbook”?

The Interplay of Requirements, Threats, and Mitigations

Business Requirements

Prevent/Detect/Respond as a Frame for Requirements

People/Process/Technology as a Frame for Requirements

Development Requirements vs. Acquisition Requirements

Compliance-Driven Requirements

Privacy Requirements

The STRIDE Requirements

Non-Requirements

Summary

Chapter 13: Web and Cloud Threats

Web Threats

Cloud Tenant Threats

Cloud Provider Threats

Mobile Threats

Summary

Chapter 14: Accounts and Identity

Account Life Cycles

Authentication

Account Recovery

Names, IDs, and SSNs

Summary

Chapter 15: Human Factors and Usability

Models of People

Models of Software Scenarios

Threat Elicitation Techniques

Tools and Techniques for Addressing Human Factors

User Interface Tools and Techniques

Testing for Human Factors

Perspective on Usability and Ceremonies

Summary

Chapter 16: Threats to Cryptosystems

Cryptographic Primitives

Classic Threat Actors

Attacks Against Cryptosystems

Building with Crypto

Things to Remember About Crypto

Secret Systems: Kerckhoffs and His Principles

Summary

Part IV: Threat Modeling in Technologies and Tricky Areas

Chapter 17: Bringing Threat Modeling to Your Organization

How To Introduce Threat Modeling

Who Does What?

Threat Modeling within a Development Life Cycle

Overcoming Objections to Threat Modeling

Summary

Chapter 18: Experimental Approaches

Looking in the Seams

Operational Threat Models

The “Broad Street” Taxonomy

Adversarial Machine Learning

Threat Modeling a Business

Threats to Threat Modeling Approaches

How to Experiment

Summary

Chapter 19: Architecting for Success

Understanding Flow

Knowing the Participants

Boundary Objects

The Best Is the Enemy of the Good

Closing Perspectives

Summary

Appendix A: Helpful Tools

Common Answers to “What's Your Threat Model?”

Assets

Appendix B: Threat Trees

STRIDE Threat Trees

Other Threat Trees

Appendix C: Attacker Lists

Attacker Lists

Personas and Archetypes

Aucsmith's Attacker Personas

Background and Definitions

Personas

Appendix D:

Elevation of Privilege

: The Cards

Spoofing

Tampering

Repudiation

Information Disclosure

Denial of Service

Elevation of Privilege (EoP)

Appendix E: Case Studies

The Acme Database

Acme's Operational Network

Phones and One-Time Token Authenticators

Sample for You to Model

Glossary

Bibliography

Introduction

What Is Threat Modeling?

Reasons to Threat Model

Who Should Read This book?

What You Will Gain from This Book

How To Use This Book

New Lessons on Threat Modeling

End User License Agreement

Pages

iv

v

vi

vii

viii

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

22

21

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

82

83

84

81

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

111

112

113

114

115

116

117

118

119

120

121

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

1

2

59

60

123

124

215

216

353

421

422

423

424

425

426

427

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

501

502

503

504

505

506

507

508

509

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

533

534

535

536

537

528

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

Guide

Cover

Table of Contents

Introduction

Part I: Getting Started

Chapter 1: Dive In and Threat Model!

List of Illustrations

Figure 1.1

Figure 1.2

Figure 1.3

Figure 1.4

Figure 2.1

Figure 2.2

Figure 2.3

Figure 2.4

Figure 2.5

Figure 2.6

Figure 2.7

Figure 2.8

Figure 3.1

Figure 4.1

Figure 4.2

Figure 4.3

Figure 4.4

Figure 4.5

Figure 5.1

Figure 5.2

Figure 6.1

Figure 7.1

Figure 7.2

Figure 7.3

Figure 9.1

Figure 9.2

Figure 9.3

Figure 9.4

Figure 10.1

Figure 11.1

Figure 11.2

Figure 11.3

Figure 12.1

Figure 14.1

Figure 14.2

Figure 14.3

Figure 14.4

Figure 15.1

Figure 15.2

Figure 15.3

Figure 15.4

Figure 15.5

Figure 15.6

Figure 15.7

Figure 15.8

Figure 15.9

Figure 15.10

Figure 17.1

Figure 17.2

Figure 18.1

Figure 18.2

Figure 18.3

Figure 19.1

Figure B.1

Figure B.2

Figure B.3

Figure B.4

Figure B.5

Figure B.6

Figure B.7

Figure B.8

Figure B.9

Figure B.10

Figure B.11

Figure B.12

Figure B.13

Figure B.14

Figure B.15

Figure B.16

Figure B.17

Figure B.18

Figure B.19

Figure E.1

Figure E.2

Figure E.3

Figure E.4

Figure E.5

Figure E.6

Figure I.1

List of Tables

Table 1.3

Table 1.4

Table 1.5

Table 1.6

Table 2.1

Table 3.1

Table 3.2

Table 3.3

Table 3.4

Table 3.5

Table 3.6

Table 3.7

Table 3.8

Table 3.9

Table 3.10

Table 3.11

Table 7.1

Table 7.2

Table 7.3

Table 7.4

Table 7.5

Table 7.6

Table 9.1

Table 9.2

Table 10.1

Table 10.2

Table 10.3

Table 10.4

Table 12.1

Table 15.1

Table 16.1

Table 17.1

Table 17.2

Table 17.3

Table 18.1

Table B.0

Table B.1a

Table B.1b

Table B.1c

Table B.1d

Table B.1e

Table B.2

Table B.3a

Table B.3b

Table B.3c

Table B.3d

Table B.4a

Table B.4b

Table B.5a

Table B.5b

Table B.5c

Table B.5d

Table B.6a

Table B.6b

Table B.6c

Table B.6d

Table B.7a

Table B.7b

Table B.8a

Table B.8b

Table B.9a

Table B.9b

Table B.9c

Table B.10a

Table B.10b

Table B.10c

Table B.11a

Table B.11b

Table B.11c

Table B.11d

Table B.12

Table B.13a

Table B.13b

Table B.13c

Table B.14a

Table B.14b

Table B.15a

Table B.15b

Part IGetting Started

This part of the book is for those who are new to threat modeling, and it assumes no prior knowledge of threat modeling or security. It focuses on the key new skills that you'll need to threat model and lays out a methodology that's designed for people who are new to threat modeling.

Part I also introduces the various ways to approach threat modeling using a set of toy analogies. Much like there are many children's toys for modeling, there are many ways to threat model. There are model kits with precisely molded parts to create airplanes or ships. These kits have a high degree of fidelity and a low level of flexibility. There are also numerous building block systems such as Lincoln Logs, Erector Sets, and Lego blocks. Each of these allows for more flexibility, at the price of perhaps not having a propeller that's quite right for the plane you want to model.

In threat modeling, there are techniques that center on attackers, assets, or software, and these are like Lincoln Logs, Erector Sets, and Lego blocks, in that each is powerful and flexible, each has advantages and disadvantages, and it can be tricky to combine them into something beautiful.

Part I contains the following chapters:

Chapter 1: Dive In and Threat Model!

contains everything you need to get started threat modeling, and does so by focusing on four questions:

What are you building?

What can go wrong?

What should you do about those things that can go wrong?

Did you do a decent job of analysis?

These questions aren't just what you need to get started, but are at the heart of the four-step framework, which is the core of this book.

Chapter 2: Strategies for Threat Modeling

covers a great many ways to approach threat modeling. Many of them are “obvious” approaches, such as thinking about attackers or the assets you want to protect. Each is explained, along with why it works less well than you hope. These and others are contrasted with a focus on software. Software is what you can most reasonably expect a software professional to understand, and so models of software are the most important lesson of Chapter 2. Models of software are one of the two models that you should focus on when threat modeling.

Chapter 1Dive In and Threat Model!

Anyone can learn to threat model, and what's more, everyone should. Threat modeling is about using models to find security problems. Using a model means abstracting away a lot of details to provide a look at a bigger picture, rather than the code itself. You model because it enables you to find issues in things you haven't built yet, and because it enables you to catch a problem before it starts. Lastly, you threat model as a way to anticipate the threats that could affect you.

Threat modeling is first and foremost a practical discipline, and this chapter is structured to reflect that practicality. Even though this book will provide you with many valuable definitions, theories, philosophies, effective approaches, and well-tested techniques, you'll want those to be grounded in experience. Therefore, this chapter avoids focusing on theory and ignores variations for now and instead gives you a chance to learn by experience.

To use an analogy, when you start playing an instrument, you need to develop muscles and awareness by playing the instrument. It won't sound great at the start, and it will be frustrating at times, but as you do it, you'll find it gets easier. You'll start to hit the notes and the timing. Similarly, if you use the simple four-step breakdown of how to threat model that's exercised in Parts I-III of this book, you'll start to develop your muscles. You probably know the old joke about the person who stops a musician on the streets of New York and asks “How do I get to Carnegie Hall?” The answer, of course, is “practice, practice, practice.” Some of that includes following along, doing the exercises, and developing an understanding of the steps involved. As you do so, you'll start to understand how the various tasks and techniques that make up threat modeling come together.

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!