Threat Modeling (Microsoft Professional Books Series)

Threat Modeling (Microsoft Professional Books Series)

by Frank Swiderski, Window Snyder

Paperback

$34.99

Product Details

ISBN-13: 9780735619913
Publisher: Microsoft Press
Publication date: 06/16/2004
Series: Microsoft Professional Books Series
Pages: 288
Product dimensions: 7.38(w) x 9.00(h) x 0.59(d)

About the Author

Frank Swiderski is a Software Security Engineer at Microsoft® and is responsible for helping Microsoft product teams evaluate the impact of threats to their product or component. He has specialized in application security for several years, including serving as a managing security architect for @stake, a leading digital security consulting firm.

Window Snyder is a program manager for the Microsoft® Secure Windows® Initiative Team. She is the former director of Security Architecture for @stake, and has dedicated eight years to the security industry as a consultant and as a software engineer.

Table of Contents

Reviewer Acclaim for Frank Swiderski, Window Snyder, and Threat Modeling;
Introduction;
The Threat Modeling Process;
Who Should Read This Book?;
What Will Development Teams Gain from This Book?;
The Book’s Samples;
Support;
Part I: Application Security;
Chapter 1: Introduction to Application Security;
Historical Perspective: Setting the Stage for Threat Modeling;
Code Reviews During Design and Implementation;
Why Application Security Is Critical to Business;
The Application Security Life Cycle;
Elements of Application Security;
Roles in Application Security;
Summary;
Chapter 2: Why Threat Modeling?;
Defining Threat Modeling;
Examining the Threat Modeling Process;
Organizing a Threat Model;
Summary;
Part II: Understanding Threat Modeling;
Chapter 3: How an Adversary Sees an Application;
The Adversary’s Goals;
Principles of the Data Flow Approach;
Analyzing Entry Points;
Determining Which Assets Are of Interest;
Trust Levels;
Summary;
Chapter 4: Constraining and Modeling the Application;
Gathering Relevant Background Information;
Modeling the Application Through Data Flow Diagrams;
Summary;
Chapter 5: The Threat Profile;
Identifying Threats;
Investigating Threats with Threat Trees;
Vulnerability Resolution and Mitigation;
Summary;
Part III: Using Threat Modeling Effectively;
Chapter 6: Choosing What to Model;
Creating Feature-Level Threat Models;
Creating Application-Level Threat Models;
Knowing When a Threat Model Is Finished;
Questions Threat Model Teams Should Pose;
Summary;
Chapter 7: Testing Based on a Threat Model;
The Benefits and Shortcomings of Security Testing;
Using Threat Models to Drive Security Testing;
Characterizing the Application’s Security Risk;
Summary;
Chapter 8: Making Threat Modeling Work;
Practical Considerations;
Revisiting the Threat Model;
Where to Go for Help;
Managing the Threat Modeling Process;
Summary;
Part IV: Sample Threat Models;
Appendix A: Fabrikam Phone 1.0;
Use Scenarios;
External Dependencies;
Implementation Assumptions;
External Security Notes;
Internal Security Notes;
Trust Levels;
Entry Points;
Assets;
Data Flow Diagrams;
Threats;
Vulnerabilities;
Appendix B: Humongous Insurance Price Quote Website;
Use Scenarios;
External Dependencies;
Implementation Assumptions;
External Security Notes;
Internal Security Notes;
Trust Levels;
Entry Points;
Assets;
Data Flow Diagrams;
Threats;
Vulnerabilities;
Appendix C: A. Datum Access Control API;
Use Scenarios;
External Dependencies;
Implementation Assumptions;
External Security Notes;
Internal Security Notes;
Trust Levels;
Entry Points;
Assets;
Data Flow Diagrams;
Threats;
Vulnerabilities;
Appendix : About the Authors;

Customer Reviews

Most Helpful Customer Reviews

See All Customer Reviews