We sat down with him to talk about his book and the significance of threat modeling. vpnMentor: What made you write Threat Modeling? Shostack: I wrote Threat Modeling because threat modeling is at the core of my security career. I have watched so many people struggle to create threat models, even mediocre ones, and I figured there was a better way to teach it. We security folks learn by doing, by action, by apprenticeship, but a lot of what we’re taught to do goes untested. When threat modeling, should you focus on assets? No, it’s a trap. What about focusing on thinking like an attacker? Also a trap. The system catches normal, well-meaning engineers trying to do the right thing, but they aren’t successful. It got to the point where even speaking with these engineers for an hour about what to do and what not to do wasn’t sufficient, so I decided to write a book about it. vpnMentor: What new knowledge did you gain while writing this book? The biggest thing I learned in writing the book was just how big threat modeling is. There are ways to think about what you’re working on, what can go wrong, what to do about it, or if you did a good job. Writing a book on threat modeling is like writing a book on all of programming. In programming, there are languages, like Perl or Haskel or even Excel, and there are methods to do it, from copying and pasting to StackOverflow to very formal engineering approaches. There are stages from concept to implementation, to testing and deployment. I had to fit all that into one book! But at the core of threat modeling are four questions: (1) What are we working on? (2) What can go wrong? (3) What are we going to do about it? (4) Did we do a good job? I hope sharing these focus points will help others successfully threat model. Click here to read a chapter from Adam’s book! The information above can be used to track you, target you for ads, and monitor what you do online.
VPNs can help you hide this information from websites so that you are protected at all times. We recommend ExpressVPN — the #1 VPN out of over 350 providers we've tested. It has military-grade encryption and privacy features that will ensure your digital security, plus — it's currently offering 49% off.
Visit ExpressVPN