August 03, 2004

Book Review - Threat Modeling

I finished reading Threat Modeling last week but just haven't had time to blog a review about it until now.

I first learned of Frank Swiderski when he worked at @stake, meeting him in passing at a convention. When I heard he was working for Microsoft as an application security specialist I wasn't to sure what was going on.

Then he released a pretty good threat modeling tool (check out his Channel9 interview on the subject) and I started to put it together.

Out of no where, announcements of his new book on threat modeling were abound. I dug deep trying to find it, only to learn it wasn't actually released. I waved my money at Amazon, but they just wouldn't take it until the pre-order.

Long story short, I finally got it. And it was well worth the wait.

If I could sum up the book in a single sentence it would be something like, "Frank took the ball from Michael in Writing Secure Code (WSC) and ran with it to the goal line." This book picks up where Michael left off, and completes the picture of threat modeling in greater depth. But you would have to expect that. The threat modeling process is evolving at Microsoft and the snap shot we see in this book is knowledge improved upon since the release of WSC. Actually, you will notice a big difference between v1 and v2 of WSC, and this step was logical in the new book.

With that said, an abridged table of contents can show how this was broken down:

  1. Introduction to Application Security
  2. Why Threat Modeling
  3. How an Adversary Sees an Application
  4. Constraining and Modeling the Application
  5. The Threat Profile
  6. Choosing What to Model
  7. Testing Based on a Threat Model
  8. Making Threat Modeling Work
  9. Sample Threat Models

Now that I read that TOC, it doesn't do the book justice. Let me see if I can provide some highlights of the book.

First off, one thing I really liked was the fact that almost HALF the book is dedicated to actual sample threat models, showing practical applications approached differently. Throughout the book three examples were used:

  1. Fabrikam Phone 1.0 - A phone system
  2. Humongous Insurance Price Quote Website - A simpe web application
  3. A. Datum Corporation Access Control API - A software library
These three examples were interesting as it showed different approaches to threat modeling, in three different areas. These examples really hit home for me, and brought concepts together quite nicely.

An area which I enjoyed was looking at how an advesary would approach the system. Now, this isn't like how Gary did it in Exploiting Software: How to Break Code. In a simplistic overview, Frank presents it like:

An advesary's view is based on entry points of the system, which when entered get you access to assets, based on what trust level you appear to have. An application can not be attacked unless an adversary has a way to interact with it, and an asset of interest must exist for that to occur. In other words, a threat cannot exist unless there is an asset that interests the advesary.
You can explore how this comes about by properly modeling the system with the use of data flow diagrams (DFD). I really enjoyed this part, as I never properly understood how to graphically depict this. With this new knowledge I will make better use of the visio component in the threat modeling tool Frank released.

Quite frankly I found a lot of things approached different in the book. In my office our use of threat modeling has been to create a Threat Profile by classifying threats against STRIDE effects for each part of the system, and then map attack trees on how to exploit that. When complete we would then use the standard infosec risk formula of...

risk = Probability(chance) * Damage Potential (damage)
... to prioritize the risks and they reduce it with mitigation techniques.

This book showed me a lot of new ways to approach threat modeling. We were only doing a fraction of what really COULD be done in threat moding. From data flow diagrams to DREAD analysis, the book shows how to properly do an end to end threat model.

Would I recommend this book? Absolutely. Do I have any complaints? Only that I now want to go back and redo our threat models in greater depth. I have to make time for this... crucial time I don't really have. Of course, the book even covers that off, and helps to show how in a time crunch, how to prioritize things to get the most in the least amount of time.

I arrogantly believed I knew everything there was "needed to be known" about threat modeling to use it in a real world environment. I was wrong. This book has exposed me to a greater depth modeling process which should be a requirement in any development environment. Get this book. Period.

Posted by SilverStr at August 3, 2004 08:40 AM | TrackBack

You *must* aggregrate all of your book reviews into a "Reviews" link on the sidebar. . . I have always found your reviews to be even handed and informative. Now that I've got some time to actually invest in catching up with security literature, I find myself searching for "Book Review" in your archive on a regular basis.

Posted by: Ryan Nielsen at August 3, 2004 12:35 PM

Good idea Ryan.

When I have some time I will do just that.

Thanks, and keep reading!

Posted by: SilverStr at August 6, 2004 04:07 PM

Does the book offer an extensive bibliography, and do those who have discovered important techniques receive the deserved credit?

I'm asking because I've read too many computer security books which severely lack references and are quite useless if you have dwell deeper into some topic.

Posted by: Florian Weimer at August 12, 2004 11:52 PM


The book does not include a detailed bibliography, but I can tell you that through out the book Frank points to research and information from where a lot of this comes from.

The way this approach to threat modeling has been done in the book includes a lot of trail blazing work from the guys within Microsoft... so not a lot of "historical" references yet exist.

The book is well worth its weight in goal; it IS the reference you want to delve deeper into the topic of threat modeling.

Posted by: SilverStr at August 14, 2004 03:41 PM