August 03, 2004
Book Review - Threat Modeling
I finished reading Threat Modeling last week but just haven't had time to blog a review about it until now.
I first learned of Frank Swiderski when he worked at @stake, meeting him in passing at a convention. When I heard he was working for Microsoft as an application security specialist I wasn't to sure what was going on.
Out of no where, announcements of his new book on threat modeling were abound. I dug deep trying to find it, only to learn it wasn't actually released. I waved my money at Amazon, but they just wouldn't take it until the pre-order.
Long story short, I finally got it. And it was well worth the wait.
If I could sum up the book in a single sentence it would be something like, "Frank took the ball from Michael in Writing Secure Code (WSC) and ran with it to the goal line." This book picks up where Michael left off, and completes the picture of threat modeling in greater depth. But you would have to expect that. The threat modeling process is evolving at Microsoft and the snap shot we see in this book is knowledge improved upon since the release of WSC. Actually, you will notice a big difference between v1 and v2 of WSC, and this step was logical in the new book.
With that said, an abridged table of contents can show how this was broken down:
Now that I read that TOC, it doesn't do the book justice. Let me see if I can provide some highlights of the book.
First off, one thing I really liked was the fact that almost HALF the book is dedicated to actual sample threat models, showing practical applications approached differently. Throughout the book three examples were used:
An area which I enjoyed was looking at how an advesary would approach the system. Now, this isn't like how Gary did it in Exploiting Software: How to Break Code. In a simplistic overview, Frank presents it like:
An advesary's view is based on entry points of the system, which when entered get you access to assets, based on what trust level you appear to have. An application can not be attacked unless an adversary has a way to interact with it, and an asset of interest must exist for that to occur. In other words, a threat cannot exist unless there is an asset that interests the advesary.You can explore how this comes about by properly modeling the system with the use of data flow diagrams (DFD). I really enjoyed this part, as I never properly understood how to graphically depict this. With this new knowledge I will make better use of the visio component in the threat modeling tool Frank released.
Quite frankly I found a lot of things approached different in the book. In my office our use of threat modeling has been to create a Threat Profile by classifying threats against STRIDE effects for each part of the system, and then map attack trees on how to exploit that. When complete we would then use the standard infosec risk formula of...
risk = Probability(chance) * Damage Potential (damage)... to prioritize the risks and they reduce it with mitigation techniques.
This book showed me a lot of new ways to approach threat modeling. We were only doing a fraction of what really COULD be done in threat moding. From data flow diagrams to DREAD analysis, the book shows how to properly do an end to end threat model.
Would I recommend this book? Absolutely. Do I have any complaints? Only that I now want to go back and redo our threat models in greater depth. I have to make time for this... crucial time I don't really have. Of course, the book even covers that off, and helps to show how in a time crunch, how to prioritize things to get the most in the least amount of time.
I arrogantly believed I knew everything there was "needed to be known" about threat modeling to use it in a real world environment. I was wrong. This book has exposed me to a greater depth modeling process which should be a requirement in any development environment. Get this book. Period.Posted by SilverStr at August 3, 2004 08:40 AM | TrackBack