Book Review: Threat Modeling
Threat Modeling by our own Frank Swiderski and Window Snyder is one of those books you should read. Threat modeling may not be new, but if you’re new to threat modeling you should pick up this book.
Threat modeling is about understanding threats to your application or feature and deciding how to mitigate those threats so that you aren’t left with vulnerabilities. This book is designed to help program managers, developers, and testers alike throughout the development lifecycle to construct and maintain threat models. Frank even wrote a tool to help ease the process of maintaining the threat model document available from the Microsoft Download Center that utilizes a simple tree view and allows you to associate nodes, like assigning roles to threats.
The book is short at only a 169 pages but it could be shorter. My biggest complaint with this book is that it’s incredibly redundant. The first two chapters are spent discussing why threat modeling is important. It is a valid point, as many people may be wondering why threat modeling is important or even what it is. Two chapters may be a little extensive, though, and constantly repeat the same ideas.
Page 13 of the introduction does make a statement that might help in avoiding much of this redundancy:
Development team members who want to skim this book for an overview should look at Chapter 2, which describes the overall threat modeling process. Chapters 3 and 5 will also be valuable to those looking for shortcuts because they describe entry points, assets, and the threat profile. Chapter 4 describes bounding the threat modeling discussion. The rest of the chapters, which flesh out the threat modeling process, will be most important for a project’s security process manager.
I, of course, read the whole thing. So, some redundancy is warranted, since this book itself implies that it is a sort of reference book. But even consecutive sections within the aforementioned chapters repeat the same statements. There is a difference between driving a point home and driving your reader crazy.
I would also add that – if you are going to use the book as a reference – you take a look at Part 4 – appendices A, B, and C – which are entire threat model documents for the three example features used throughout the book.
This book is a good book for anyone in software design and development to understand how to write secure software. Every entry and exit point is a threat, and unmitigated threats are vulnerabilities. Feature- and program-level threat modeling can help to mitigate those threats by identifying use cases and non-use cases for those entry points, roles accessing those entry points, threats associated with those entry points using the STRIDE classification (Spoofing, Tampering, Repudiation, Denial of service, and Elevation of privilege), the risk a threat poses using a DREAD rank (Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability), and internal and external notes about the threats. The book also points out that a threat model document is a living document, meaning that it should be kept current as the design of the feature or program changes.
This is a good companion book to Code Complete, Second Edition and Writing Secure Code, Second Edition.