In this straightforward and practical guide, Microsoft® application security specialists Frank Swiderski and Window Snyder describe the concepts and goals for threat modeling—a structured approach for identifying, evaluating, and mitigating risks to system security. Discover how to use the threat modeling methodology to analyze your system from the adversary’s point of view—creating a set of data points that help drive security specifications and testing. You’ll review application scenarios that illustrate threat modeling concepts in action, understanding how to use threat modeling to help improve the built-in security of a system—as well as your customer's confidence in the security of that system—regardless of development environment.
Gain an in-depth, conceptual understanding—along with practical ways to integrate threat modeling into your development efforts:
Help anticipate attacks by seeing how adversaries assess your system—and compare their view to the developer’s or architect’s view
Employ a data flow approach to create a threat profile for a system
Reveal vulnerabilities in system architecture and implementation using investigative techniques such as threat trees and threat model-directed code reviews
Develop a credible security characterization for modeling threats
Use threat modeling to help verify security features and increase the resilience of software systems
Increase customer confidence in your products!
Application Security
Chapter 1 Introduction to Application Security
Historical Perspective: Setting the Stage for Threat Modeling
Code Reviews During Design and Implementation
Why Application Security Is Critical to Business
The Application Security Life Cycle
Elements of Application Security
Roles in Application Security
Summary
Chapter 2 Why Threat Modeling?
Defining Threat Modeling
Examining the Threat Modeling Process
Organizing a Threat Model
Summary
Understanding Threat Modeling
Chapter 3 How an Adversary Sees an Application
The Adversary’s Goals
Principles of the Data Flow Approach
Analyzing Entry Points
Determining Which Assets Are of Interest
Trust Levels
Summary
Chapter 4 Constraining and Modeling the Application
Gathering Relevant Background Information
Modeling the Application Through Data Flow Diagrams
Summary
Chapter 5 The Threat Profile
Identifying Threats
Investigating Threats with Threat Trees
Vulnerability Resolution and Mitigation
Summary
Using Threat Modeling Effectively
Chapter 6 Choosing What to Model
Creating Feature-Level Threat Models
Creating Application-Level Threat Models
Knowing When a Threat Model Is Finished
Questions Threat Model Teams Should Pose
Summary
Chapter 7 Testing Based on a Threat Model
The Benefits and Shortcomings of Security Testing
Using Threat Models to Drive Security Testing
Characterizing the Application’s Security Risk
Summary
Chapter 8 Making Threat Modeling Work
Practical Considerations
Revisiting the Threat Model
Where to Go for Help
Managing the Threat Modeling Process
Summary
Sample Threat Models
Appendix A Fabrikam Phone 1.0
Use Scenarios
External Dependencies
Implementation Assumptions
External Security Notes
Internal Security Notes
Trust Levels
Entry Points
Assets
Data Flow Diagrams
Threats
Vulnerabilities
Appendix B Humongous Insurance Price Quote Website
Use Scenarios
External Dependencies
Implementation Assumptions
External Security Notes
Internal Security Notes
Trust Levels
Entry Points
Assets
Data Flow Diagrams
Threats
Vulnerabilities
Appendix C A. Datum Access Control API
Use Scenarios
External Dependencies
Implementation Assumptions
External Security Notes
Internal Security Notes
Trust Levels
Entry Points
Assets
Data Flow Diagrams
Threats
Vulnerabilities
Appendix About the Authors
Title:
Threat Modeling
By:
Frank Swiderski, Window Snyder
Publisher:
Microsoft Press
Formats:
Print
Print:
June 2004
Pages:
288
Print ISBN:
978-0-7356-1991-3
| ISBN 10:
0-7356-1991-3
Frank Swiderski
Frank Swiderski is a Software Security Engineer at Microsoft® and is responsible for helping Microsoft product teams evaluate the impact of threats to their product or component. He has specialized in application security for several years, including serving as a managing security architect for @stake, a leading digital security consulting firm.
Window Snyder
Window Snyder is a program manager for the Microsoft® Secure Windows® Initiative Team. She is the former director of Security Architecture for @stake, and has dedicated eight years to the security industry as a consultant and as a software engineer.
