Shostack + Friends Blog


The Threats book is complete

Threats is almost in bookstores A Star Wars styled text, reading A long time ago, in a galaxy far, far away. . . I started work on Threats: What Every Engineer Should Learn from Star Wars, and I could not be more excited that it's done.

When my first threat modeling book came out, I talked about STRIDE in terms of Star Wars – Luke Skywalker spoofing a Stormtrooper and being caught because he was too short. And as I thought about turning that into a book, my publisher suggested “maybe you can get a chapter out of it?” And so, I started writing, because, as we know, there’s do, or do not.

As I wrote, I discovered both how hard it is to explain some of the concepts which we use, and how important it is that we explain them. For example:

  • What is privilege in computing?
  • How does it relate to permissions? We know it when we see it — root has privilege, but is creating a new account a privilege (as per Windows) or a matter or permissions (as on Unix)? Which is right?
  • How do we teach it if the simple things we say are all complicated?
  • Why is parsing safely hard, and what should every engineer know about that?

Once I’d opened these cans of worms, and saw students struggling with them in classes, I realized how valuable this book could be to readers, and I pushed to ensure that it’s accessible and fun, even if you’ve never seen Star Wars. (I mean, kids today …. no knowledge of the classics.)

Feeling hatred or anger at engineers for not understanding security? These are the easy path. Supporting engineers who aren’t security specialists — explaining our concepts and making them accessible — was far harder. But... there’s good in them. I’ve seen it. In 2022, security matters as a property of what people deliver. But engineers struggle to understand what they should do. This book aims to solve that.

The book ended up longer than I expected. Mostly, that’s because it turns out there’s a lot of threats that every engineer needs to know. It’s also longer because I’ve learned iteration and variation helps people learn, so we revisit threats a little.

As I said, I’m tremendously excited, and I’m grateful that as I’ve told people about the book, that excitement has been contagious … nope, I’m skipping that joke … that excitement has been palpable, and people have asked how they can help. Pre-ordering can certainly help and getting the word out can help too. There are some additional ideas at