O'Reilly logo

Threat Modeling: Designing for Security by Adam Shostack

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 5Attack Libraries

Some practitioners have suggested that STRIDE is too high level, and should be replaced with a more detailed list of what can go wrong. Insofar as STRIDE being abstract, they're right. It could well be useful to have a more detailed list of common problems.

A library of attacks can be a useful tool for finding threats against the system you're building. There are a number of ways to construct such a library. You could collect sets of attack tools; either proof-of-concept code or fully developed (“weaponized”) exploit code can help you understand the attacks. Such a collection, where no modeling or abstraction has taken place, means that each time you pick up the library, each participant needs to spend time and energy creating a model from the attacks. Therefore, a library that provides that abstraction (and at a more detailed level than STRIDE) could well be useful. In this chapter, you'll learn about several higher-level libraries, including how they compare to checklists and literature reviews, and a bit about the costs and benefits of creating a new one.

Properties of Attack Libraries

As stated earlier, there are a number of ways to construct an attack library, so you probably won't be surprised to learn that selecting one involves trade-offs, and that different libraries address different goals. The major decisions to be made, either implicitly or explicitly, are as follows:

  • Audience
  • Detail versus abstraction
  • Scope

Audience refers to whom the ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required