Shostack: I wroteThreat Modelingbecause threat modeling is at the core of my security career.
When threat modeling, should you focus on assets?
No, it’s a trap.
What about focusing on thinking like an attacker?
The system catches normal, well-meaning engineers trying to do the right thing, but they aren’t successful.
vpnMentor: What new knowledge did you gain while writing this book?
The biggest thing I learned in writing the book was just how big threat modeling is.
Writing a book on threat modeling is like writing a book on all of programming.
There are stages from concept to implementation, to testing and deployment.
I had to fit all that into one book!
But at the core of threat modeling are fourquestions:
(1) What are we working on?
(2) What can go wrong?
(3) What are we going to do about it?
(4) Did we do a good job?
I hope sharing these focus points will help others successfully threat model.
Threat Modeling: Designing for Securityis available for purchase onAmazon.
pick the link below to read the first chapter.
Click here to read a chapter from Adam’s book!
like, comment on how to improve this article.
