Threat Modeling: Designing for Security by Adam Shostack, published by Wiley in February 2014, offers a comprehensive guide to the principles and practices of threat modeling. With 569 pages of in-depth content, it aims to equip readers with tools and methodologies for identifying, assessing, and mitigating security threats. The book is often recommended for professionals in cybersecurity, application development, and systems architecture.
I read this book in January 2020 as part of my professional development while implementing threat modeling processes at work. My objective was to gain actionable insights into integrating threat modeling into our organizational security practices, particularly from a systems-of-systems perspective. I was also seeking practical, step-by-step guidance for applying threat modeling frameworks effectively in complex enterprise environments.
Shostack effectively discusses how security requirements can be derived and integrated into system design processes. He emphasizes that threat modeling is not a one-time activity but a continuous process that evolves alongside system development. The book covers popular frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), attack trees, and data flow diagrams (DFDs). These frameworks provide structured ways to visualize and analyze potential threats, making them accessible for both security experts and non-specialists.
One of my critiques is the book’s tendency to blur the line between threats and vulnerabilities. While threats represent external actors, events, or conditions that could cause harm, vulnerabilities are weaknesses within a system that threats can exploit. This distinction is critical but could be more explicitly reinforced throughout the book.
While the book focuses heavily on software development contexts, I was seeking a broader “system of systems” approach applicable to enterprise-level threat modeling. Shostack’s examples often revolve around software engineering, leaving some gaps for readers looking for insights into complex IT ecosystems or operational technology environments.
The book’s strengths include its comprehensive coverage of topics such as building threat models, understanding attackers’ perspectives, and prioritizing threats. The sections on creating attack trees and using STRIDE are particularly useful for structuring threat assessments. Shostack writes in a clear, engaging style that breaks down complex concepts into digestible sections.
However, expanding beyond software threat modeling to include broader enterprise and interconnected system considerations would enhance the book’s applicability. More detailed, real-world case studies or step-by-step guides would provide practical implementation insights. While tools and techniques are mentioned, deeper exploration of available open-source and commercial threat modeling tools could add value.
Overall, Threat Modeling: Designing for Security is a valuable resource for professionals in cybersecurity and software development looking to build a strong foundation in threat modeling. However, for those seeking detailed system-of-systems methodologies or enterprise-scale threat modeling strategies, supplemental resources may be needed. Despite its software-centric focus, the book remains a cornerstone text in the field and a worthwhile addition to any security practitioner’s library.
