Book review - Threat Modeling

["Kenneth R. van Wyk" <Ken () KRvW com>]

Hi all,

While doing a bit of daily reading today, I found a review of  Frank 
Swiderski's "Threat Modeling" book at Dana Epp's blog site (see 
http://silverstr.ufies.org/blog/archives/000661.html).  With gracious 
permission to repost from Dana, below is the text of the book review.

Cheers,

Ken van Wyk
http://www.KRvW.com

=================

August 03, 2004

Book Review - Threat Modeling
by Dana Epp, http://silverstr.ufies.org/blog/

I finished reading Threat Modeling last week but just haven't had time to blog 
a review about it until now. 

I first learned of Frank Swiderski when he worked at @stake, meeting him in 
passing at a convention. When I heard he was working for Microsoft as an 
application security specialist I wasn't to sure what was going on.

Then he released a pretty good threat modeling tool (check out his Channel9 
interview on the subject) and I started to put it together.

Out of no where, announcements of his new book on threat modeling were abound. 
I dug deep trying to find it, only to learn it wasn't actually released. I 
waved my money at Amazon, but they just wouldn't take it until the pre-order.

Long story short, I finally got it. And it was well worth the wait.

If I could sum up the book in a single sentence it would be something like, 
"Frank tool the ball from Michael in Writing Secure Code (WSC) and ran with 
it to the goal line." This book picks up where Michael left off, and 
completes the picture of threat modeling in greater depth. But you would have 
to expect that. The threat modeling process is evolving at Microsoft and the 
snap shot we see in this book is knowledge improved upon since the release of 
WSC. Actually, you will notice a big difference between v1 and v2 of WSC, and 
this step was logical in the new book.

With that said, an abridged table of contents can show how this was broken 
down:

Introduction to Application Security
Why Threat Modeling
How an Adversary Sees an Application
Constraining and Modeling the Application
The Threat Profile
Choosing What to Model
Testing Based on a Threat Model
Making Threat Modeling Work
Sample Threat Models

Now that I read that TOC, it doesn't do the book justice. Let me see if I can 
provide some highlights of the book.

First off, one thing I really liked was the fact that almost HALF the book is 
dedicated to actual sample threat models, showing practical applications 
approached differently. Throughout the book three examples were used:

Fabrikam Phone 1.0 - A phone system 
 
Humongous Insurance Price Quote Website - A simpe web application
 
A. Datum Corporation Access Control API - A software library
These three examples were interesting as it showed different approaches to 
threat modeling, in three different areas. These examples really hit home for 
me, and brought concepts together quite nicely.

An area which I enjoyed was looking at how an advesary would approach the 
system. Now, this isn't like how Gary did it in Exploiting Software: How to 
Break Code. In a simplistic overview, Frank presents it like:
 
An advesary's view is based on entry points of the system, which when entered 
get you access to assets, based on what trust level you appear to have. An 
application can not be attacked unless an adversary has a way to interact 
with it, and an asset of interest must exist for that to occur. In other 
words, a threat cannot exist unless there is an asset that interests the 
advesary.

You can explore how this comes about by properly modeling the system with the 
use of data flow diagrams (DFD). I really enjoyed this part, as I never 
properly understood how to graphically depict this. With this new knowledge I 
will make better use of the visio component in the threat modeling tool Frank 
released. 

Quite frankly I found a lot of things approached different in the book. In my 
office our use of threat modeling has been to create a Threat Profile by 
classifying threats against STRIDE effects for each part of the system, and 
then map attack trees on how to exploit that. When complete we would then use 
the standard infosec risk formula of...

risk = Probability(chance) * Damage Potential (damage)
... to prioritize the risks and they reduce it with mitigation techniques.

This book showed me a lot of new ways to approach threat modeling. We were 
only doing a fraction of what really COULD be done in threat moding. From 
data flow diagrams to DREAD analysis, the book shows how to properly do an 
end to end threat model.

Would I recommend this book? Absolutely. Do I have any complaints? Only that I 
now want to go back and redo our threat models in greater depth. I have to 
make time for this... crucial time I don't really have. Of course, the book 
even covers that off, and helps to show how in a time crunch, how to 
prioritize things to get the most in the least amount of time.

I arrogantly believed I knew everything there was "needed to be known" about 
threat modeling to use it in a real world environment. I was wrong. This book 
has exposed me to a greater depth modeling process which should be a 
requirement in any development environment. Get this book. Period.