Threat Modeling

use threat modeling to enhance software security If you're a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and in the overall software and systems design processes. Author and security expert Adam Shostack puts his considerable expertise to work in this book that, unlike any other, details the process of building improved security into the design of software, computer services, and systems — from the very beginning. - Find and fix security issues before they hurt you or your customers - Learn to use practical and actionable tools, techniques, and approaches for software developers, IT professionals, and security enthusiasts - Explore the nuances of software-centric threat modeling and discover its application to software and systems during the build phase and beyond - Apply threat modeling to improve security when managing complex systems - Manage potential threats using a structured, methodical framework - Discover and discern evolving security threats - Use specific, actionable advice regardless of software type, operating system, or program approaches and techniques validated and proven to be effective at Microsoft and other top IT companies

Adam Shostack is a principal program manager on Microsoft's Trustworthy Computing team. He helped found the CVE \, the Privacy Enhancing Technologies Symposium, and the International Financial Cryptography Association His experience shipping products (at both Microsoft and tiny startups) and managing operational security ensures the advice in this book is grounded in real experience.

Introduction xxi Part I Getting Started 1 Chapter 1 Dive In and Threat Model! 3 Learning to Threat Model 4 Threat Modeling on Your Own 26 Checklists for Diving In and Threat Modeling 27 Summary 28 Chapter 2 Strategies for Threat Modeling 29 "What's Your Threat Model?" 30 Brainstorming Your Threats 31 Structured Approaches to Threat Modeling 34 Models of Software 43 Summary 56 Part II Finding Threats 59 Chapter 3 STRIDE 61 Understanding STRIDE and Why It's Useful 62 Spoofing Threats 64 Tampering Threats 67 Repudiation Threats 68 Information Disclosure Threats 70 Denial-of-Service Threats 72 Elevation of Privilege Threats 73 Extended Example: STRIDE Threats against Acme-DB 74 STRIDE Variants 78 Exit Criteria 85 Summary 85 Chapter 4 Attack Trees 87 Working with Attack Trees 87 Representing a Tree 91 Example Attack Tree 94 Real Attack Trees 96 Perspective on Attack Trees 98 Summary 100 Chapter 5 Attack Libraries 101 Properties of Attack Libraries 101 CAPEC 104 OWASP Top Ten 108 Summary 108 Chapter 6 Privacy Tools 111 Solove's Taxonomy of Privacy 112 Privacy Considerations for Internet Protocols 114 Privacy Impact Assessments (PIA) 114 The Nymity Slider and the Privacy Ratchet 115 Contextual Integrity 117 LINDDUN 120 Summary 121 Part III Managing and Addressing Threats 123 Chapter 7 Processing and Managing Threats 125 Starting the Threat Modeling Project 126 Digging Deeper into Mitigations 130 Tracking with Tables and Lists 133 Scenario-Specifi c Elements of Threat Modeling 138 Summary 143 Chapter 8 Defensive Tactics and Technologies 145 Tactics and Technologies for Mitigating Threats 145 Addressing Threats with Patterns 159 Mitigating Privacy Threats 160 Summary 164 Chapter 9 Trade-Off s When Addressing Threats 167 Classic Strategies for Risk Management 168 Selecting Mitigations for Risk Management 170 Threat-Specific Prioritization Approaches 178 Mitigation via Risk Acceptance 184 Arms Races in Mitigation Strategies 185 Summary 186 Chapter 10 Validating That Threats Are Addressed 189 Testing Threat Mitigations 190 Checking Code You Acquire 192 QA'ing Threat Modeling 195 Process Aspects of Addressing Threats 197 Tables and Lists 198 Summary 202 Chapter 11 Threat Modeling Tools 203 Generally Useful Tools 204 Open-Source Tools 206 Commercial Tools 208 Tools That Don't Exist Yet 213 Summary 213 Part IV Threat Modeling in Technologies and Tricky Areas 215 Chapter 12 Requirements Cookbook 217 Why a "Cookbook"? 218 The Interplay of Requirements, Threats, and Mitigations 219 Business Requirements 220 Prevent/Detect/Respond as a Frame for Requirements 221 People/Process/Technology as a Frame for Requirements 227 Development Requirements vs. Acquisition Requirements 228 Compliance-Driven Requirements 229 Privacy Requirements 231 The STRIDE Requirements 234 Non-Requirements 240 Summary 242 Chapter 13 Web and Cloud Threats 243 Web Threats 243 Cloud Tenant Threats 246 Cloud Provider Threats 249 Mobile Threats 250 Summary 251 Chapter 14 Accounts and Identity 253 Account Life Cycles 254 Authentication 259 Account Recovery 271 Names, IDs, and SSNs 282 Summary 290 Chapter 15 Human Factors and Usability 293 Models of People 294 Models of Software Scenarios 304 Threat Elicitation Techniques 311 Tools and Techniques for Addressing Human Factors 316 User Interface Tools and Techniques 322 Testing for Human Factors 327 Perspective on Usability and Ceremonies 329 Summary 331 Chapter 16 Threats to Cryptosystems 333 Cryptographic Primitives 334 Classic Threat Actors 341 Attacks against Cryptosystems 342 Building with Crypto 346 Things to Remember about Crypto 348 Secret Systems: Kerckhoffs and His Principles 349 Summary 351 Part V Taking It to the Next Level 353 Chapter 17 Bringing Threat Modeling to Your Organization 355 How To Introduce Threat Modeling 356 Who Does What? 359 Threat Modeling within a Development Life Cycle 367 Overcoming Objections to Threat Modeling 379 Summary 383 Chapter 18 Experimental Approaches 385 Looking in the Seams 386 Operational Threat Models 387 The "Broad Street" Taxonomy 392 Adversarial Machine Learning 398 Threat Modeling a Business 399 Threats to Threat Modeling Approaches 400 How to Experiment 404 Summary 405 Chapter 19 Architecting for Success 407 Understanding Flow 407 Knowing the Participants 413 Boundary Objects 414 The Best Is the Enemy of the Good 415 Closing Perspectives 416 Summary 419 Now Threat Model 420 Appendix A Helpful Tools 421 Common Answers to "What's Your Threat Model?" 421 Appendix B Threat Trees 429 STRIDE Threat Trees 430 Other Threat Trees 470 Appendix C Attacker Lists 477 Attacker Lists 478 Appendix D Elevation of Privilege: The Cards 501 Spoofing 501 Tampering 503 Repudiation 504 Information Disclosure 506 Denial of Service 507 Elevation of Privilege (EoP) 508 Appendix E Case Studies 511 The Acme Database 512 Acme's Operational Network 519 Phones and One-Time Token Authenticators 525 Sample for You to Model 528 Glossary 533 Bibliography 543 Index 567