Like the Sith, the threats in this book are often seen as mysterious or shadowy. Too many engineers have been fooled into thinking that only a fully trained Jedi at the height of their powers can take on these threats. Much you have learned, and more to be learned there is. Overconfidence, must you avoid.

What you've learned in this book are specific threats and ways to counter them. These threats are far more powerful if you ignore them. Some can be addressed with straightforward engineering; others require complex trade-offs with nuance and traps for the careless. As you go forward, consider how each can be brought to bear on your systems. In Threat Modeling: Designing for Security, I've defined threat modeling as a family of techniques to help us answer four key questions.

• What are we working on?
• What can go wrong?
• What are we going to do about it?
• Did we do a good job?

As I teach, I've learned that many students struggle to answer the question “what can go wrong?” That is, discovering what threats apply to a system can be the hardest challenge in threat modeling.

It's easy for most people to express a few things that can go wrong, and it's hard for many to specify the technical mechanisms that lead to those outcomes. Some even feel a bit about security like Han Solo feels about the Force.

• Han: Hokey religions and ancient weapons are no match for a good blaster at your side, kid.
• Luke: You don't believe in the Force, do you?
• Han: Kid, I've flown from one side ...