Supplemental for Threat Modeling: Designing for Security
Table of Contents for Threat Modeling: Designing for Security
Part I: Getting Started
- Dive in and Threat Model
- Strategies for Threat Modeling
Part II: Finding Threats
- Attack Trees
- Attack Libraries
- Privacy Tools
Part III: Managing and Addressing Threats
- Processing and Managing Threats
- Defensive Tactics and Technologies
- Trade-Offs When Addressing Threats
- Validating That Threats Are Addressed
- Threat Modeling Tools
Part IV: Threat Modeling in Technologies and Tricky Areas
- Requirements Cookbook
- Web and Cloud Threats
- Accounts and Identity
- Human Factors and Usability
- Threats to Cryptosystems
Part V: Taking It to the Next Level
- Bringing Threat Modeling to Your Organization
- Experimental Approaches
- Architecting for Success
- Helpful Tools
- Threat Trees
- Attacker Lists
- Elevation of Privilege : The Cards
- Case Studies
Errata for Threat Modeling: Designing for Security
- Andy Steingrubel's name is mis-spelled (page vii)
- The first list on page 10 is mis-ordered
- On page 12, "vertebrae" should read "vertebrate."
- On page 134/135, tables 7.4 and 7.5 should each open with "threat type," rather than "threat".
- On page 154, under "Operational Assurance of Confidentiality" The last sentence, "With regard to a network, it may be possible to use SSH or SSL tunneling or IPSec to address network tampering issues." should read: "With regard to a network, it may be possible to use SSH or SSL tunneling or IPSec to address network confidentiality issues."
- Phil Zimmermann's name is consistently misspelled.
- On page 225, the second item of the first list should read "We will detect 75 precent of attacks of type X within time Y, and 50 percent of the remainder within Z."
- On page 485, there is a reference to sync floods, which is SYN, fully misspelled.
- On this page, errata was mis-spelled.
- On page 14 and elsewhere, IPsec is listed as addressing spoofing of a network address. Properly, that's a function of IKE. (Added June 2018)
- On page xxx of the introduction, the word "influence" should be removed from the phrase "Platforms and API influence may offer security features" (Added June, 2018)
- On page 4, the Elevation of Privilege link is broken. Good resources are above. (August, 2018)
- On page 6, it should read 'Many people will treat the terms as interchangeable.' (January, 2019)
Errata last updated: June 25, 2018