Dana Epp's ramblings at the Sanctuary: Book Review


« Mozilla Security Bug Bounty Program \| Main \| Upgrade your Putty Clients IMMEDIATELY! » August 03, 2004 Book Review - Threat Modeling I finished reading Threat Modeling last week but just haven't had time to blog a review about it until now. I first learned of Frank Swiderski when he worked at @stake, meeting him in passing at a convention. When I heard he was working for Microsoft as an application security specialist I wasn't to sure what was going on. Then he released a pretty good threat modeling tool (check out his Channel9 interview on the subject) and I started to put it together. Out of no where, announcements of his new book on threat modeling were abound. I dug deep trying to find it, only to learn it wasn't actually released. I waved my money at Amazon, but they just wouldn't take it until the pre-order. Long story short, I finally got it. And it was well worth the wait. If I could sum up the book in a single sentence it would be something like, "Frank took the ball from Michael in Writing Secure Code (WSC) and ran with it to the goal line." This book picks up where Michael left off, and completes the picture of threat modeling in greater depth. But you would have to expect that. The threat modeling process is evolving at Microsoft and the snap shot we see in this book is knowledge improved upon since the release of WSC. Actually, you will notice a big difference between v1 and v2 of WSC, and this step was logical in the new book. With that said, an abridged table of contents can show how this was broken down: Introduction to Application Security Why Threat Modeling How an Adversary Sees an Application Constraining and Modeling the Application The Threat Profile Choosing What to Model Testing Based on a Threat Model Making Threat Modeling Work Sample Threat Models Now that I read that TOC, it doesn't do the book justice. Let me see if I can provide some highlights of the book. First off, one thing I really liked was the fact that almost HALF the book is dedicated to actual sample threat models, showing practical applications approached differently. Throughout the book three examples were used: Fabrikam Phone 1.0 - A phone system Humongous Insurance Price Quote Website - A simpe web application A. Datum Corporation Access Control API - A software library These three examples were interesting as it showed different approaches to threat modeling, in three different areas. These examples really hit home for me, and brought concepts together quite nicely. An area which I enjoyed was looking at how an advesary would approach the system. Now, this isn't like how Gary did it in Exploiting Software: How to Break Code. In a simplistic overview, Frank presents it like: An advesary's view is based on entry points of the system, which when entered get you access to assets, based on what trust level you appear to have. An application can not be attacked unless an adversary has a way to interact with it, and an asset of interest must exist for that to occur. In other words, a threat cannot exist unless there is an asset that interests the advesary. You can explore how this comes about by properly modeling the system with the use of data flow diagrams (DFD). I really enjoyed this part, as I never properly understood how to graphically depict this. With this new knowledge I will make better use of the visio component in the threat modeling tool Frank released. Quite frankly I found a lot of things approached different in the book. In my office our use of threat modeling has been to create a Threat Profile by classifying threats against STRIDE effects for each part of the system, and then map attack trees on how to exploit that. When complete we would then use the standard infosec risk formula of... *risk = Probability(chance) Damage Potential (damage)** ... to prioritize the risks and they reduce it with mitigation techniques. This book showed me a lot of new ways to approach threat modeling. We were only doing a fraction of what really COULD be done in threat moding. From data flow diagrams to DREAD analysis, the book shows how to properly do an end to end threat model. Would I recommend this book? Absolutely. Do I have any complaints? Only that I now want to go back and redo our threat models in greater depth. I have to make time for this... crucial time I don't really have. Of course, the book even covers that off, and helps to show how in a time crunch, how to prioritize things to get the most in the least amount of time. I arrogantly believed I knew everything there was "needed to be known" about threat modeling to use it in a real world environment. I was wrong. This book has exposed me to a greater depth modeling process which should be a requirement in any development environment. Get this book. Period. Posted by SilverStr at August 3, 2004 08:40 AM \| TrackBack Comments You must aggregrate all of your book reviews into a "Reviews" link on the sidebar. . . I have always found your reviews to be even handed and informative. Now that I've got some time to actually invest in catching up with security literature, I find myself searching for "Book Review" in your archive on a regular basis. Posted by: Ryan Nielsen at August 3, 2004 12:35 PM Good idea Ryan. When I have some time I will do just that. Thanks, and keep reading! Posted by: SilverStr at August 6, 2004 04:07 PM Does the book offer an extensive bibliography, and do those who have discovered important techniques receive the deserved credit? I'm asking because I've read too many computer security books which severely lack references and are quite useless if you have dwell deeper into some topic. Posted by: Florian Weimer at August 12, 2004 11:52 PM Florian, The book does not include a detailed bibliography, but I can tell you that through out the book Frank points to research and information from where a lot of this comes from. The way this approach to threat modeling has been done in the book includes a lot of trail blazing work from the guys within Microsoft... so not a lot of "historical" references yet exist. The book is well worth its weight in goal; it IS the reference you want to delve deeper into the topic of threat modeling. Posted by: SilverStr at August 14, 2004 03:41 PM		My 5 Favorite Books Writing Secure Code Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind My 5 Favorite Papers Smashing the Stack Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides Archives March 2010 October 2009 August 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 April 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 GeoURL

August 03, 2004

Book Review - Threat Modeling