Cover
Part I: Getting Started
1. Chapter 1: Dive In and Threat Model!
  1. Learning to Threat Model
  2. Threat Modeling on Your Own
  3. Checklists for Diving In and Threat Modeling
  4. Summary
2. Chapter 2: Strategies for Threat Modeling
  1. “What's Your Threat Model?”
  2. Brainstorming Your Threats
  3. Structured Approaches to Threat Modeling
  4. Models of Software
  5. Summary
Part II: Finding Threats
1. Chapter 3: STRIDE
  1. Understanding STRIDE and Why It's Useful
  2. Spoofing Threats
  3. Tampering Threats
  4. Repudiation Threats
  5. Information Disclosure Threats
  6. Denial-of-Service Threats
  7. Elevation of Privilege Threats
  8. Extended Example: STRIDE Threats against Acme-DB
  9. STRIDE Variants
  10. Exit Criteria
  11. Summary
2. Chapter 4: Attack Trees
  1. Working with Attack Trees
  2. Representing a Tree
  3. Example Attack Tree
  4. Real Attack Trees
  5. Perspective on Attack Trees
  6. Summary
3. Chapter 5: Attack Libraries
  1. Properties of Attack Libraries
  2. CAPEC
  3. OWASP Top Ten
  4. Summary
4. Chapter 6: Privacy Tools
  1. Solove's Taxonomy of Privacy
  2. Privacy Considerations for Internet Protocols
  3. Privacy Impact Assessments (PIA)
  4. The Nymity Slider and the Privacy Ratchet
  5. Contextual Integrity
  6. LINDDUN
  7. Summary
Part III: Managing and Addressing Threats
1. Chapter 7: Processing and Managing Threats
  1. Starting the Threat Modeling Project
  2. Digging Deeper into Mitigations
  3. Tracking with Tables and Lists
  4. Scenario-Specific Elements of Threat Modeling
  5. Summary
2. Chapter 8: Defensive Tactics and Technologies
  1. Tactics and Technologies for Mitigating Threats
  2. Addressing Threats with Patterns
  3. Mitigating Privacy Threats
  4. Summary
3. Chapter 9: Trade-Offs When Addressing Threats
  1. Classic Strategies for Risk Management
  2. Selecting Mitigations for Risk Management
  3. Threat-Specific Prioritization Approaches
  4. Mitigation via Risk Acceptance
  5. Arms Races in Mitigation Strategies
  6. Summary
4. Chapter 10: Validating That Threats Are Addressed
  1. Testing Threat Mitigations
  2. Checking Code You Acquire
  3. QA'ing Threat Modeling
  4. Process Aspects of Addressing Threats
  5. Tables and Lists
  6. Summary
5. Chapter 11: Threat Modeling Tools
  1. Generally Useful Tools
  2. Open-Source Tools
  3. Commercial Tools
  4. Tools That Don't Exist Yet
  5. Summary
Part IV: Threat Modeling in Technologies and Tricky Areas
1. Chapter 12: Requirements Cookbook
  1. Why a “Cookbook”?
  2. The Interplay of Requirements, Threats, and Mitigations
  3. Business Requirements
  4. Prevent/Detect/Respond as a Frame for Requirements
  5. People/Process/Technology as a Frame for Requirements
  6. Development Requirements vs. Acquisition Requirements
  7. Compliance-Driven Requirements
  8. Privacy Requirements
  9. The STRIDE Requirements
  10. Non-Requirements
  11. Summary
2. Chapter 13: Web and Cloud Threats
  1. Web Threats
  2. Cloud Tenant Threats
  3. Cloud Provider Threats
  4. Mobile Threats
  5. Summary
3. Chapter 14: Accounts and Identity
  1. Account Life Cycles
  2. Authentication
  3. Account Recovery
  4. Names, IDs, and SSNs
  5. Summary
4. Chapter 15: Human Factors and Usability
  1. Models of People
  2. Models of Software Scenarios
  3. Threat Elicitation Techniques
  4. Tools and Techniques for Addressing Human Factors
  5. User Interface Tools and Techniques
  6. Testing for Human Factors
  7. Perspective on Usability and Ceremonies
  8. Summary
5. Chapter 16: Threats to Cryptosystems
  1. Cryptographic Primitives
  2. Classic Threat Actors
  3. Attacks Against Cryptosystems
  4. Building with Crypto
  5. Things to Remember About Crypto
  6. Secret Systems: Kerckhoffs and His Principles
  7. Summary
Part V: Taking It to the Next Level
1. Chapter 17: Bringing Threat Modeling to Your Organization
  1. How To Introduce Threat Modeling
  2. Who Does What?
  3. Threat Modeling within a Development Life Cycle
  4. Overcoming Objections to Threat Modeling
  5. Summary
2. Chapter 18: Experimental Approaches
  1. Looking in the Seams
  2. Operational Threat Models
  3. The “Broad Street” Taxonomy
  4. Adversarial Machine Learning
  5. Threat Modeling a Business
  6. Threats to Threat Modeling Approaches
  7. How to Experiment
  8. Summary
3. Chapter 19: Architecting for Success
  1. Understanding Flow
  2. Knowing the Participants
  3. Boundary Objects
  4. The Best Is the Enemy of the Good
  5. Closing Perspectives
  6. Summary
Appendix A: Helpful Tools
1. Common Answers to “What's Your Threat Model?”
2. Assets
Appendix B: Threat Trees
1. STRIDE Threat Trees
2. Other Threat Trees
Appendix C: Attacker Lists
1. Attacker Lists
2. Personas and Archetypes
3. Aucsmith's Attacker Personas
4. Background and Definitions
5. Personas
Appendix D: Elevation of Privilege: The Cards
1. Spoofing
2. Tampering
3. Repudiation
4. Information Disclosure
5. Denial of Service
6. Elevation of Privilege (EoP)
Appendix E: Case Studies
1. The Acme Database
2. Acme's Operational Network
3. Phones and One-Time Token Authenticators
4. Sample for You to Model
Glossary
Bibliography
Introduction
1. What Is Threat Modeling?
2. Reasons to Threat Model
3. Who Should Read This book?
4. What You Will Gain from This Book
5. How To Use This Book
6. New Lessons on Threat Modeling
End User License Agreement

List of Illustrations

Figure 1.1
Figure 1.2
Figure 1.3
Figure 1.4
Figure 2.1
Figure 2.2
Figure 2.3
Figure 2.4
Figure 2.5
Figure 2.6
Figure 2.7
Figure 2.8
Figure 3.1
Figure 4.1
Figure 4.2
Figure 4.3
Figure 4.4
Figure 4.5
Figure 5.1
Figure 5.2
Figure 6.1
Figure 7.1
Figure 7.2
Figure 7.3
Figure 9.1
Figure 9.2
Figure 9.3
Figure 9.4
Figure 10.1
Figure 11.1
Figure 11.2
Figure 11.3
Figure 12.1
Figure 14.1
Figure 14.2
Figure 14.3
Figure 14.4
Figure 15.1
Figure 15.2
Figure 15.3
Figure 15.4
Figure 15.5
Figure 15.6
Figure 15.7
Figure 15.8
Figure 15.9
Figure 15.10
Figure 17.1
Figure 17.2
Figure 18.1
Figure 18.2
Figure 18.3
Figure 19.1
Figure B.1
Figure B.2
Figure B.3
Figure B.4
Figure B.5
Figure B.6
Figure B.7
Figure B.8
Figure B.9
Figure B.10
Figure B.11
Figure B.12
Figure B.13
Figure B.14
Figure B.15
Figure B.16
Figure B.17
Figure B.18
Figure B.19
Figure E.1
Figure E.2
Figure E.3
Figure E.4
Figure E.5
Figure E.6
Figure I.1

List of Tables

Table 1.3
Table 1.4
Table 1.5
Table 1.6
Table 2.1
Table 3.1
Table 3.2
Table 3.3
Table 3.4
Table 3.5
Table 3.6
Table 3.7
Table 3.8
Table 3.9
Table 3.10
Table 3.11
Table 7.1
Table 7.2
Table 7.3
Table 7.4
Table 7.5
Table 7.6
Table 9.1
Table 9.2
Table 10.1
Table 10.2
Table 10.3
Table 10.4
Table 12.1
Table 15.1
Table 16.1
Table 17.1
Table 17.2
Table 17.3
Table 18.1
Table B.0
Table B.1a
Table B.1b
Table B.1c
Table B.1d
Table B.1e
Table B.2
Table B.3a
Table B.3b
Table B.3c
Table B.3d
Table B.4a
Table B.4b
Table B.5a
Table B.5b
Table B.5c
Table B.5d
Table B.6a
Table B.6b
Table B.6c
Table B.6d
Table B.7a
Table B.7b
Table B.8a
Table B.8b
Table B.9a
Table B.9b
Table B.9c
Table B.10a
Table B.10b
Table B.10c
Table B.11a
Table B.11b
Table B.11c
Table B.11d
Table B.12
Table B.13a
Table B.13b
Table B.13c
Table B.14a
Table B.14b
Table B.15a
Table B.15b

Part I
Getting Started

This part of the book is for those who are new to threat modeling, and it assumes no prior knowledge of threat modeling or security. It focuses on the key new skills that you'll need to threat model and lays out a methodology that's designed for people who are new to threat modeling.

Part I also introduces the various ways to approach threat modeling using a set of toy analogies. Much like there are many children's toys for modeling, there are many ways to threat model. There are model kits with precisely molded parts to create airplanes or ships. These kits have a high degree of fidelity and a low level of flexibility. There are also numerous building block systems such as Lincoln Logs, Erector Sets, and Lego blocks. Each of these allows for more flexibility, at the price of perhaps not having a propeller that's quite right for the plane you want to model.

In threat modeling, there are techniques that center on attackers, assets, or software, and these are like Lincoln Logs, Erector Sets, and Lego blocks, in that each is powerful and flexible, each has advantages and disadvantages, and it can be tricky to combine them into something beautiful.

Part I contains the following chapters:

Chapter 1: Dive In and Threat Model! contains everything you need to get started threat modeling, and does so by focusing on four questions:
- What are you building?
- What can go wrong?
- What should you do about those things that can go wrong?
- Did you do a decent job of analysis?

These questions aren't just what you need to get started, but are at the heart of the four-step framework, which is the core of this book.

Chapter 2: Strategies for Threat Modeling covers a great many ways to approach threat modeling. Many of them are “obvious” approaches, such as thinking about attackers or the assets you want to protect. Each is explained, along with why it works less well than you hope. These and others are contrasted with a focus on software. Software is what you can most reasonably expect a software professional to understand, and so models of software are the most important lesson of Chapter 2. Models of software are one of the two models that you should focus on when threat modeling.