Table of Contents

Introduction xxi

Part I Getting Started 1

Chapter 1 Dive In and Threat Model! 3

Learning to Threat Model 4

Threat Modeling on Your Own 26

Checklists for Diving In and Threat Modeling 27

Summary 28

Chapter 2 Strategies for Threat Modeling 29

“What’s Your Threat Model?” 30

Brainstorming Your Threats 31

Structured Approaches to Threat Modeling 34

Models of Software 43

Summary 56

Part II Finding Threats 59

Chapter 3 STRIDE 61

Understanding STRIDE and Why It’s Useful 62

Spoofing Threats 64

Tampering Threats 67

Repudiation Threats 68

Information Disclosure Threats 70

Denial-of-Service Threats 72

Elevation of Privilege Threats 73

Extended Example: STRIDE Threats against Acme-DB 74

STRIDE Variants 78

Exit Criteria 85

Summary 85

Chapter 4 Attack Trees 87

Working with Attack Trees 87

Representing a Tree 91

Example Attack Tree 94

Real Attack Trees 96

Perspective on Attack Trees 98

Summary 100

Chapter 5 Attack Libraries 101

Properties of Attack Libraries 101

CAPEC 104

OWASP Top Ten 108

Summary 108

Chapter 6 Privacy Tools 111

Solove’s Taxonomy of Privacy 112

Privacy Considerations for Internet Protocols 114

Privacy Impact Assessments (PIA) 114

The Nymity Slider and the Privacy Ratchet 115

Contextual Integrity 117

LINDDUN 120

Summary 121

Part III Managing and Addressing Threats 123

Chapter 7 Processing and Managing Threats 125

Starting the Threat Modeling Project 126

Digging Deeper into Mitigations 130

Tracking with Tables and Lists 133

Scenario-Specifi c Elements of Threat Modeling 138

Summary 143

Chapter 8 Defensive Tactics and Technologies 145

Tactics and Technologies for Mitigating Threats 145

Addressing Threats with Patterns 159

Mitigating Privacy Threats 160

Summary 164

Chapter 9 Trade-Off s When Addressing Threats 167

Classic Strategies for Risk Management 168

Selecting Mitigations for Risk Management 170

Threat-Specific Prioritization Approaches 178

Mitigation via Risk Acceptance 184

Arms Races in Mitigation Strategies 185

Summary 186

Chapter 10 Validating That Threats Are Addressed 189

Testing Threat Mitigations 190

Checking Code You Acquire 192

QA’ing Threat Modeling 195

Process Aspects of Addressing Threats 197

Tables and Lists 198

Summary 202

Chapter 11 Threat Modeling Tools 203

Generally Useful Tools 204

Open-Source Tools 206

Commercial Tools 208

Tools That Don’t Exist Yet 213

Summary 213

Part IV Threat Modeling in Technologies and Tricky Areas 215

Chapter 12 Requirements Cookbook 217

Why a “Cookbook”? 218

The Interplay of Requirements, Threats, and Mitigations 219

Business Requirements 220

Prevent/Detect/Respond as a Frame for Requirements 221

People/Process/Technology as a Frame for Requirements 227

Development Requirements vs. Acquisition Requirements 228

Compliance-Driven Requirements 229

Privacy Requirements 231

The STRIDE Requirements 234

Non-Requirements 240

Summary 242

Chapter 13 Web and Cloud Threats 243

Web Threats 243

Cloud Tenant Threats 246

Cloud Provider Threats 249

Mobile Threats 250

Summary 251

Chapter 14 Accounts and Identity 253

Account Life Cycles 254

Authentication 259

Account Recovery 271

Names, IDs, and SSNs 282

Summary 290

Chapter 15 Human Factors and Usability 293

Models of People 294

Models of Software Scenarios 304

Threat Elicitation Techniques 311

Tools and Techniques for Addressing Human Factors 316

User Interface Tools and Techniques 322

Testing for Human Factors 327

Perspective on Usability and Ceremonies 329

Summary 331

Chapter 16 Threats to Cryptosystems 333

Cryptographic Primitives 334

Classic Threat Actors 341

Attacks against Cryptosystems 342

Building with Crypto 346

Things to Remember about Crypto 348

Secret Systems: Kerckhoffs and His Principles 349

Summary 351

Part V Taking It to the Next Level 353

Chapter 17 Bringing Threat Modeling to Your Organization 355

How To Introduce Threat Modeling 356

Who Does What? 359

Threat Modeling within a Development Life Cycle 367

Overcoming Objections to Threat Modeling 379

Summary 383

Chapter 18 Experimental Approaches 385

Looking in the Seams 386

Operational Threat Models 387

The “Broad Street” Taxonomy 392

Adversarial Machine Learning 398

Threat Modeling a Business 399

Threats to Threat Modeling Approaches 400

How to Experiment 404

Summary 405

Chapter 19 Architecting for Success 407

Understanding Flow 407

Knowing the Participants 413

Boundary Objects 414

The Best Is the Enemy of the Good 415

Closing Perspectives 416

Summary 419

Now Threat Model 420

Appendix A Helpful Tools 421

Common Answers to “What’s Your Threat Model?” 421

Appendix B Threat Trees 429

STRIDE Threat Trees 430

Other Threat Trees 470

Appendix C Attacker Lists 477

Attacker Lists 478

Appendix D Elevation of Privilege: The Cards 501

Spoofing 501

Tampering 503

Repudiation 504

Information Disclosure 506

Denial of Service 507

Elevation of Privilege (EoP) 508

Appendix E Case Studies 511

The Acme Database 512

Acme’s Operational Network 519

Phones and One-Time Token Authenticators 525

Sample for You to Model 528

Glossary 533

Bibliography 543

Index 567

About the Author

Adam Shostack is a principal program manager on Microsoft s Trustworthy Computing Team. His experience as an operational systems manager and product developer at companies from startups to Microsoft ensures this book is practical and grounded. He helped found the CVE, the Privacy Enhancing Technologies Symposium, and more.