Review – Threat Modeling: Designing for Security by Adam Shostack

As I mentioned in my recent post about what I learnt in my first year as a cyber security consultant, I always keep an ebook handy on my phone so I can learn something new on long train journeys. Most recently, this has been Threat Modeling: Designing for Security.

While my contact with threat modelling thus far has always been from a perspective of deciding which threats are most likely to affect an organisation, author Adam Shostack approaches the topic from the perspective of a team building a new system or product. When I started the book I thought this might limit its usefulness to me, but many of the lessons to be learnt here apply equally to software development and architecture.

The first sections focus on threat modelling techniques: how to map out your system’s data flows, how to build attack trees to visualise threats, and how to decide where your project starts and finishes. One of the most useful concepts here is the spoofing, tampering, repudiation, information security, denial of service, and elevation of privilege (STRIDE) model, which is used to consider all of the ways an attacker could compromise your assets.

While all of that can be applied to some parts of my work, I found that many of the most useful content in Threat Modeling: Designing for Security came in later sections, where Shostack explores individual threats and the controls that can be used to mitigate them in more detail.

Across almost every area of cyber security, from account security and the human factor to cryptography and privacy, the book offers a look at the most common threats, what can be done to mitigate them, and what trade-offs this might mean in terms of usability. The breadth of subject matter covered means that the book could be used as an introduction to core security principles as much as a guide to threat modelling.

All of this detail is punctuated with anecdotes and advice on how to make threat modelling work within a real-life organisation, including how to broach the subject to development teams and get key stakeholders on board with the project, meaning the book also functions as a handbook for the application of threat modelling – not just the theory.

Threat modelling veterans may find themselves familiar with much of the content here, but for anyone working on (or alongside) a threat modelling project for the first time, Threat Modeling: Designing for Security makes a great companion guide.

Photo from Canva