Threat Modeling: Designing for Security
by Adam Shostack

Wiley 2014.
ISBN 978-1-118-80999-0 . USD 49.56; Table of Contents

Reviewed by  Richard Austin   July 17, 2014 

As you've probably noticed, we seem to have a slight problem with software security, and though great strides have been made, vulnerabilities continue to appear on a disturbingly regular basis. A perennial problem is that the people who write software are largely not information security professionals, and when one is in thrall to the tyranny of schedule and functionality, security concerns may seem remote and almost irrelevant. Shostack envisions the process of threat modeling as a way of integrating security principles into the development process and make developers active participants in identifying and fixing vulnerabilities before the product reaches the door.

Shostack's threat modeling framework involves answering four basic questions: "What are you building?", "What can go wrong with it once it's built?", "What should you do about those things that can go wrong?", "Did you do a decent job of analysis?". The more jaded of us will immediately zoom in on the second question and archly opine that "most developers couldn't spot a security problem if they stepped in it".

While there is no "silver bullet" to make a seasoned defect-spotter out of a developer overnight, Shostack does describe a charming technique for helping groups think about security-relevant defects in a structured way: The "Elevation of Privilege" card game. It is, in fact, a real card game (the cards are available as a PDF download from Microsoft and professionally printed cards are available, like most other things, on e-bay) based on Microsoft's STRIDE threat framework (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege). And to save you the trouble of looking, there is really not supposed to be a "2-of-Tampering", or a 2, 3 and 4 of "Elevation of Privilege". Players are dealt hands and play a card by trying to find its threat in their software. I have not used the game with professional developers, but students in a secure programming class very quickly picked up the rules and identified many more threats in a sample application than with the previous checklists, etc. While this was in no way a scientific study, it did pique my interest.

The entire book might be thought of as a handbook on how to play "Elevation of Privilege". It opens with an introduction to threat modeling and progresses through threat identification and how to address the identified threats. Shostack then branches out to examine threat modeling in the "tricky areas" such as the cloud and cryptosystems. The final section, "Taking it to the next level", offers guidance on how to introduce threat modeling into your organization (and deal with the objections of why it can't be done and is a waste of scarce developer time) and examines cutting edge techniques such as "kill chains" and machine learning.

Shostack's presentation style is lively and well-illustrated. Seasoned security professionals may find the pace a bit labored but the book is also targeted at audiences (such as developers) lacking much, if any, background in information security. Several chapters are especially noteworthy:

Chapter 6, "Privacy Tools". This brief chapter's introduction to ways of thinking about privacy is both an excellent summary as well as a guide for further exploration.

Chapter 9, Trade-Offs When Addressing Threats", is a gentle introduction to risk management and underlines the important fact that risk-elimination is an impossible goal (there will always be residual risk).

Chapter 15, "Human Factors and Usability", is a gem. Our profession is plagued with great ideas that are routinely bypassed or ignored because they are just too painful for people to use. Thinking about how users will interact with a security-relevant function is a core success factor in actually making things work and achieve their intended purpose.

Chapter 16, "Threats to Cryptosystems", makes the important point that cryptography is not magic pixie dust that you can sprinkle on something to make it "secure". In less than 20 pages, Shostack provides a solid review of what you have to get right in order for cryptography to make a meaningful contribution to a system's security posture (cryptographic implementations of known pedigree, solid key management, etc.).

Shostack's book provides a readable, comprehensive guide on how to make threat modeling a useful component of the software development process. Definitely a recommended read.

It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin ( fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org