Shostack + Friends Blog

 

Threats Book is Complete

The serious side of the book A stack of copies of threats: what every engineer should learn from star wars

I’m really excited to have my first copies of the new book in hand. I’ve said a lot about how much fun I’ve had writing it, and perhaps haven’t written enough about what a serious book it really is. Let me share that, and then close with some information about signed copies, launch parties, and other fun things.

Computer security is a young field, and evolving rapidly. People arrive through many paths, few of which include fundamental understanding of threats. As we learn from Rick Proto (and as I discuss in the introduction) theories of insecurity inform theories of security. Checkbox security is inevitable unless people understand what they’re defending against. And as I’ve learned from teaching, my students often don’t understand the threats well enough to discuss them even for a few sentences.

These foundations are crucial, and they are the focus of the book, which starts with STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Expansion of Authority.) If you’re paying attention, you may notice that I’ve redefined the E from Elevation of Privilege. That chapter was a dark moment in my journey. When you try to explain it, Privilege in cybersecurity is a squishy concept. The best definition I found was ‘the ability to change security configuration,’ and then we get to mechanism – is it special like the ability to bind to a low port? A matter of who can sudo? The concept of authority is more crisp and measurable.

Those chapters are followed by ones on Predictability and Randomness, Parsing and Corruption, and Kill Chains. Corruption often leads to Expansion of Authority, but not always, and is complex enough that it deserves its own chapter, and I think is in many ways a new contribution that will be helpful even to those steeped in security. So all that to say: this is a serious book in a fun package, and I hope you enjoy it and learn from it.

For more on the book, please visit threatsbook.com. Available — soon — wherever fine books are sold.

Originally published by Adam on 17 Jan 2023
Categories:   books   software engineering   security   threat modeling   Threats book