Threat modeling is one of the most essential--and most misunderstood--parts of the development lifecycle. Whether you're a security practitioner or a member of a development team, this book will help you gain a better understanding of how you can apply core threat modeling concepts to your practice to protect your systems against threats.
Contrary to popular belief, threat modeling doesn't require advanced security knowledge to initiate or a Herculean effort to sustain. But it is critical for spotting and addressing potential concerns in a cost-effective way before the code's written--and before it's too late to find a solution. Authors Izar Tarandach and Matthew Coles walk you through various ways to approach and execute threat modeling in your organization.
- Explore fundamental properties and mechanisms for securing data and system functionality
- Understand the relationship between security, privacy, and safety
- Identify key characteristics for assessing system security
- Get an in-depth review of popular and specialized techniques for modeling and analyzing your systems
- View the future of threat modeling and Agile development methodologies, including DevOps automation
- Find answers to frequently asked questions, including how to avoid common threat modeling pitfalls
Table of contents
- The Basics of Threat Modeling
- Essential Security Principles
- 1. Modeling Systems
- 2. A Generalized Approach to Threat Modeling
3. Threat Modeling Methodologies
- Before We Go Too Deep…
- Looking Through Filters, Angles, and Prisms
- To the Methodologies, at Last!
- Specialized Methodologies
- Shall We Play a Game?
4. Automated Threat Modeling
- Why Automate Threat Modeling?
- Threat Modeling from Code
- Threat Modeling with Code
- An Overview of Other Threat Modeling Tools
- Threat Modeling with ML and AI
- 5. Continuous Threat Modeling
6. Own Your Role as a Threat
- How Do I Get Leadership On-Board with Threat Modeling?
- How Do I Overcome Resistance from the Rest of the Product Team?
- How Do We Overcome the Sense of (or Actual) Failure at Threat Modeling?
- How Should I Choose a Threat Modeling Methodology from Many Similar Approaches?
- How Should I Deliver “the Bad News”?
- What Actions Should I Take for Accepted Findings?
- Did I Miss Something?
- Summary and Closing
- Further Reading
- A. A Worked Example
- B. The Threat Modeling Manifesto
- Title: Threat Modeling
- Release date: November 2020
- Publisher(s): O'Reilly Media, Inc.
- ISBN: 9781492056553
You might also like
Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis
This book introduces the Process for Attack Simulation & Threat Analysis (PASTA) threat modeling methodology. It …
Agile Application Security
Agile continues to be the most adopted software development methodology among organizations worldwide, but it generally …
Secure by Design
Secure by Design teaches you principles and best practices for writing highly secure software. At the …
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 8th Edition
CISSP Study Guide - fully updated for the 2018 CISSP Body of Knowledge CISSP (ISC)2 Certified …