After reading - Threat Modeling

Threat Modeling book

Dr. Dobbs Jolt Award Finalist 2014

By Adam Shostack (Microsoft’s Threat Modeling Expert)

Haha, finally I finished this book recommended by st 👨‍🍳 Reading books is similar to frying eggs. 🍳 Need to control the pace, heat, shape, and mood.



  • Part 1 Getting Started

    • Cp 1 Dive In and Threat Model!
    • Cp 2 Strategies for Threat Modeling
  • Part 2 Finding Threats

    • Cp 3 STRIDE
    • Cp 4 Attack Trees
    • Cp 5 Attack Libraries
    • Cp 6 Privacy Tools
  • Part 3 Managing and Addressing Threats

    • Cp 7 Processing and Managing Threats
    • Cp 8 Defensive Tactics and Technologies
    • Cp 9 Trade-Offs When Addressing Threats
    • Cp 10 Validating That Threats Are Addressed
    • Cp 11 Threat Modeling Tools
  • Part 4 Threat Modeling in Technologies and Tricky Areas

    • Cp 12 Requirements Cookbook
    • Cp 13 Web and Cloud Threats
    • Cp 14 Accounts and Identity
    • Cp 15 Human Factors and Usability
    • Cp 16 Threats to Cryptosystems
  • Part 5 Taking it to the next level

    • Cp 17 Bringing Threat Model to Your Organization
    • Cp 18 Experimental Approaches
    • Cp 19 Architecting for Success


Some models with detailed examples are introduced in the book to deal with potential threats. With security requirements and those threats in mind, security bugs can be identified early.

Four Step framework

Model system -> Find Threats -> Address Threats -> Validate

It may be useful to know how to execute an attack, but it’s more important to know where they are executed and how to effectively defend against it.

Some Quick Notes

Spoofing Attack

a person, a “file” on disk, a network address, a program in memory, a machine, a role

Tampering Threats

Tampering with a file, Racing to create a file, tampering with a network packet

Repudiation Threats

No logs no prove, logs under attack, log as attack Information Disclosure: Network Monitoring, Directory or Filename, File contents, API Information Disclosure

Trust boundaries

Trust boundaries is also a very interesting topic that is mentioned in the book.

STRIDE approach

  • Spoofing
  • Tampering
  • Repudiation
  • Information Disclosure
  • Denial of Service,
  • Elevation of Privilege.

For each interaction with each element, like Process, Data Flow, Data Store, External Interactor, there may be some risk posing on each of these STRIDE areas.

Attack Tree

root node, subnodes, mindmap


The CAPEC is MITRE’s Common Attack Pattern Enumeration and Classification.



  1. Authentication Technologies for computers
  • IPSec
  • SSH Host keys
  • Kerberos authentication
  • HTTP Digest or Basic authentication
  • “Windows authentication” (NTLM)
  • PKI systems, such as SSL or TLS with certificates
  1. Authentication Technologies for bits:
  • Digital signatures
  • Hashes
  1. Maintain authentication across connections:
  • Cookies

Integrity Technologies

For files:

  • ACLs or permissions
  • Digital signatures
  • Hashes
  • Windows Mandatory Integrity Control (MIC) feature
  • Unix immutable bits

For network traffic:

  • SSL
  • SSH
  • IPSec
  • Digital signatures

Risk Management

  • Avoid
  • Address
  • Accept
  • Transfer
  • Ignore

Attacker Portrait

With amazing attacker lists, the book illustrates the attacker psychology and portrait. It is amazing that they all have a clear motivation, skill and education, span of influence, collaboration, tool and technologies, and IT experience, lol, which I don’t have much! 🐇

Some motivation: curiosity, experimentation, personal fame, bragging rights, personal gain, intense dislike for employer, the thrill of succeeding, national interests, …oh, that’s a lot. 😀

Actually I found those appendices more interesting than the content, haha.

Famous Quotes in book

All models are wrong, some models are useful. –George Box

If you have to ask what jazz is, you’ll never know. –Louis Armstrong


  • Shostack, A. (2014). Threat modeling: Designing for security. Indianapolis, IN: Wiley.