I bought this book pretty much the week it came out but as it wouldn’t load onto my third gen Kindle I ended up reading the first hundred or so pages before getting sidetracked and forgetting about it.
However, a few weeks back a friend mentioned it again and so it went back to the top of my reading list. The same friend, who to be fair is biased and is actually referenced in this book, has always been a huge fan and advocate for how Brook approaches threat modelling so I was really looking forward to this.
Threat modelling is one of those arts in security that really benefit from experience and I'm always interested in learning more on how different people practice it. Like most I've read what I'd consider to be one of the original volumes from Microsoft on the topic by Frank Swiderski and Window Snyder, the more recent Threat Modelling for Security by Adam Shostack and have the PASTA book (Risk Centric Threat Modeling) by Tony Uceda Velez and Marco Morana lined up for reading in the next few months.
The book is split into three sections; the first covers some background on key threat modelling concepts and the author’s approach to threat modelling, the second covers some worked examples using the approach and the final section finishes off on governance and programme considerations.
The first section starts off with a chapter giving some background in relation to security assessment, threat modelling and introduces some of the core concepts and processses that the author considers key to his approach to threat modeling, including the ATASM (Attack, Threats, Attack Surfaces, Mitigations) approach and the concept of a credible attack vector. This chapter also gives an overview of the types of threat agents/actors that exist and how to analyse them in terms of capability, activity level and sentiment and then moving on to considering risk tolerance within your organisation.
The next chapter covers an introduction as to why enterprise architecture exists, provides some guidance on creating diagrams to support threat modeling before moving onto covering the concepts of architecture patterns and starting to work through some key concepts for threat modelling including data flow analysis, component identification and decomposition.
The book then moves onto a chapter covering risk management, which I skimmed but was thrilled to see Jack Jones and the FAIR model referenced (and noticed he’s quoted on the back cover too). Even if people don’t intend to go “full FAIR” on their analysis, I’ve always considered the FAIR risk model to be a great approach to decomposing risks and any use of it is always good in my opinion! This chapter really focuses on establishing more detail on the credible attack vector and just good enough risk rating (JGERR) concepts that the author uses. I was really happy to see the author drawing attention to personal bias and the difference between a individual's personal risk appetite and the organisation’s appetite. Both of these of so often ignored in info sec risk discussions that it's great to see then come up here even in high level coverage of the topic.
The last chapter in this section walks through the ATASM process in more detail, covering each step with a simple example based on a traditional three tier web application. This is probably the chapter that will interest a lot of people most as it’s very much focused on how to approach treat modelling using the structure proposed by the author and tees up the worked examples perfectly. I have to say that this chapter is a really easy read and nice approach to threat modeling, with there being less focus on coming up with very structured bullet point approaches in lieu of just putting some fundamental principles to approaching an assessment.
The book then moves to the second part, which is focused on taking the concepts outlined in the first part and walking through of a couple of examples, starting first with a classic three tier web application, then expanding this to include a greater enterprise view, a back end data analytics application, before moving tact and covering endpoint AV, mobile and cloud. This really is the best section of the book as working through examples is really still the best way to get your head around threat modelling and these practical worked examples are often missing from books on the topic. Also, this section does a great job of covering one of the most often asked questions; how far should you decompose an application during analysis. I really liked the idea the author puts forward of a defensible component, which he defines as "the level at which the security controls and their implementation in and around that particular component can be easily understood”. These example chapters read exactly like you’re in the room with the author and he’s just chatting away. Which is both good and bad for me. For some reason I find it harder to read this style as it’s very much a stream of consciousness, rather than a very highly structured format. Maybe I’m just a simple creature who needs more structure... however, equally it gives an insight into the process and mindset, and also is about as good as actually sitting next to him!
Personally I would have a liked a greater focus on examples or approaches to the diagramming of the threat models as for me this can often be one of the biggest stumbling blocks for people and should be a key artfact of the analysis. Also, as the author focuses so much on the nuances of levels of decomposition of analysis, for me it would have been great to show some examples of the different levels in diagrams. However, interestingly the author covers this to some degree at the end of the book by highlighting that he really aims to use whatever documentation is available already as the basis for the threat model in order to avoid trying to make security seem like a special discipline. However, unfortunately for me I find that it's most often the case that this documentation doesn't exist in the first place for many systems I've assessed! (Never a good starting point... )
The last part of the book changes tack again and looks beyond the process of performing threat modelling and looks towards governance and management of an assessment program. This is a great addition to the book as it’s easy to start doing security assessments, but inevitably you hit the problem of scale and need to figure out how to not be a blocker but also not let projects slide. Unless you can overcome this even the most positive starts will start to deteriorate either through not covering all systems, or reducing the scope and coverage of the systems resulting in ultimately no added value to the development/system team. It also covers some key lessons like the importance of building relationships within the organisation and touches on the common mistakes of people seeing the architect role as a linear promotion for good engineers, which misses the key soft skills required to be a success as an architect. For me, this is the kind of material that really should be considered mandatory for CISM type certifications, and really gives a realistic view of how security programs run and need to be run.
I really enjoyed this book and apart from more diagram examples, I can't fault it. It makes a great addition to the threat modeling resources available and I'd highly recommend that anyone involved in security read this.
One of my favorite parts of the book were a couple of simple nuggets of wisdom that attest to someone with real experience in security. There were three or four bits that particular resonated with me, but there were probably many more so for that alone, I’d highly recommend this book.
Additionally, what is a really nice touch is how the author continually highlights that no one person’s opinion or interpretation is complete and actively encourgages people to provide feedback if they think he even missed anything in the worked examples! In a professional where everyone is an expert, thought leader or evangelist, that level of humility is a refreshing change.
Links:
Amazon: http://www.amazon.com/Securing-Systems-Applied-Security-Architecture-ebook/dp/B00XKX1FK8/
However, a few weeks back a friend mentioned it again and so it went back to the top of my reading list. The same friend, who to be fair is biased and is actually referenced in this book, has always been a huge fan and advocate for how Brook approaches threat modelling so I was really looking forward to this.
Threat modelling is one of those arts in security that really benefit from experience and I'm always interested in learning more on how different people practice it. Like most I've read what I'd consider to be one of the original volumes from Microsoft on the topic by Frank Swiderski and Window Snyder, the more recent Threat Modelling for Security by Adam Shostack and have the PASTA book (Risk Centric Threat Modeling) by Tony Uceda Velez and Marco Morana lined up for reading in the next few months.
The book is split into three sections; the first covers some background on key threat modelling concepts and the author’s approach to threat modelling, the second covers some worked examples using the approach and the final section finishes off on governance and programme considerations.
The first section starts off with a chapter giving some background in relation to security assessment, threat modelling and introduces some of the core concepts and processses that the author considers key to his approach to threat modeling, including the ATASM (Attack, Threats, Attack Surfaces, Mitigations) approach and the concept of a credible attack vector. This chapter also gives an overview of the types of threat agents/actors that exist and how to analyse them in terms of capability, activity level and sentiment and then moving on to considering risk tolerance within your organisation.
The next chapter covers an introduction as to why enterprise architecture exists, provides some guidance on creating diagrams to support threat modeling before moving onto covering the concepts of architecture patterns and starting to work through some key concepts for threat modelling including data flow analysis, component identification and decomposition.
The book then moves onto a chapter covering risk management, which I skimmed but was thrilled to see Jack Jones and the FAIR model referenced (and noticed he’s quoted on the back cover too). Even if people don’t intend to go “full FAIR” on their analysis, I’ve always considered the FAIR risk model to be a great approach to decomposing risks and any use of it is always good in my opinion! This chapter really focuses on establishing more detail on the credible attack vector and just good enough risk rating (JGERR) concepts that the author uses. I was really happy to see the author drawing attention to personal bias and the difference between a individual's personal risk appetite and the organisation’s appetite. Both of these of so often ignored in info sec risk discussions that it's great to see then come up here even in high level coverage of the topic.
The last chapter in this section walks through the ATASM process in more detail, covering each step with a simple example based on a traditional three tier web application. This is probably the chapter that will interest a lot of people most as it’s very much focused on how to approach treat modelling using the structure proposed by the author and tees up the worked examples perfectly. I have to say that this chapter is a really easy read and nice approach to threat modeling, with there being less focus on coming up with very structured bullet point approaches in lieu of just putting some fundamental principles to approaching an assessment.
The book then moves to the second part, which is focused on taking the concepts outlined in the first part and walking through of a couple of examples, starting first with a classic three tier web application, then expanding this to include a greater enterprise view, a back end data analytics application, before moving tact and covering endpoint AV, mobile and cloud. This really is the best section of the book as working through examples is really still the best way to get your head around threat modelling and these practical worked examples are often missing from books on the topic. Also, this section does a great job of covering one of the most often asked questions; how far should you decompose an application during analysis. I really liked the idea the author puts forward of a defensible component, which he defines as "the level at which the security controls and their implementation in and around that particular component can be easily understood”. These example chapters read exactly like you’re in the room with the author and he’s just chatting away. Which is both good and bad for me. For some reason I find it harder to read this style as it’s very much a stream of consciousness, rather than a very highly structured format. Maybe I’m just a simple creature who needs more structure... however, equally it gives an insight into the process and mindset, and also is about as good as actually sitting next to him!
Personally I would have a liked a greater focus on examples or approaches to the diagramming of the threat models as for me this can often be one of the biggest stumbling blocks for people and should be a key artfact of the analysis. Also, as the author focuses so much on the nuances of levels of decomposition of analysis, for me it would have been great to show some examples of the different levels in diagrams. However, interestingly the author covers this to some degree at the end of the book by highlighting that he really aims to use whatever documentation is available already as the basis for the threat model in order to avoid trying to make security seem like a special discipline. However, unfortunately for me I find that it's most often the case that this documentation doesn't exist in the first place for many systems I've assessed! (Never a good starting point... )
The last part of the book changes tack again and looks beyond the process of performing threat modelling and looks towards governance and management of an assessment program. This is a great addition to the book as it’s easy to start doing security assessments, but inevitably you hit the problem of scale and need to figure out how to not be a blocker but also not let projects slide. Unless you can overcome this even the most positive starts will start to deteriorate either through not covering all systems, or reducing the scope and coverage of the systems resulting in ultimately no added value to the development/system team. It also covers some key lessons like the importance of building relationships within the organisation and touches on the common mistakes of people seeing the architect role as a linear promotion for good engineers, which misses the key soft skills required to be a success as an architect. For me, this is the kind of material that really should be considered mandatory for CISM type certifications, and really gives a realistic view of how security programs run and need to be run.
I really enjoyed this book and apart from more diagram examples, I can't fault it. It makes a great addition to the threat modeling resources available and I'd highly recommend that anyone involved in security read this.
One of my favorite parts of the book were a couple of simple nuggets of wisdom that attest to someone with real experience in security. There were three or four bits that particular resonated with me, but there were probably many more so for that alone, I’d highly recommend this book.
Additionally, what is a really nice touch is how the author continually highlights that no one person’s opinion or interpretation is complete and actively encourgages people to provide feedback if they think he even missed anything in the worked examples! In a professional where everyone is an expert, thought leader or evangelist, that level of humility is a refreshing change.
Links:
Amazon: http://www.amazon.com/Securing-Systems-Applied-Security-Architecture-ebook/dp/B00XKX1FK8/
