Book review: Threats: What Every Engineer Should Learn From Star Wars


Posted on by Ben Rothke

Many information security concepts are quite unintuitive to the general public. From ideas such as public-key cryptography to firewalls and more. That is why The Analogies Project was created.

The aim of the Analogies Project is to help spread the message of information security and its importance in the modern world. By drawing parallels between what people already know or find interesting (such as politics, art, history, theatre, sport, science, music, and everyday life experiences) and how these relate to information security, we can increase understanding and support across the whole of society.

As to why use analogies? Because many aspects of information security are highly technical and require a deep specialist knowledge. However, security ultimately depends on the awareness and preparedness of non-specialists.

In Threats: What Every Engineer Should Learn From Star Wars (Wiley Publishing), author Adam Shostack uses Star Wars as his north star analogy. This is Shostack's third book after The New School of Information Security and the groundbreaking Threat Modeling: Designing for Security.

In the introduction to Threat Modeling: Designing for Security, Shostack sums up his approach in four questions:

1. What are you building?
2. What can go wrong with it once it's built?
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?


The remaining 600 densely packed pages of Threat Modeling provide the formal framework needed to get meaningful answers to those questions. The book sets a structure in which to model threats, be it in software, applications, systems, software, or services, such as cloud computing.

Here in Star Wars, a book about application security, Shostack uses Star Wars and its characters as a foil to develop ideas around designing secure systems. Part of designing secure systems is ensuring the code is not buggy and works as designed. Another significant part of that is dealing with the threats against the systems.

It's not just that threat modeling is a good security practice. The last few years have seen contractual and regulatory requirements mandating threat modeling. Even the FDA is getting into the area and (finally) requiring medical device makers to perform threat modeling for their products.

Threat modeling is more than just running some tools. Firms need to have formal plans and processes for that. And the book does a good job of showing the reader how they can do that. Designers like to think about how a product will work as designed. But threat modeling requires designers to think about what will go wrong. And that is something many people struggle with.

But a good security practitioner will be able to think about what can go wrong. The book details the many areas where this can occur. He includes authentication, confidentiality, access control, privilege escalation, and much more. In fact, in some scenarios, there is more that can go wrong than can go rights. And many of these are about the security Jedi trying to stop those from the dark side from taking over their systems.

The book uses STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege) extensively, which is a method developed at Microsoft in the late 1990s to identify potential vulnerabilities and threats.

The only downside to the book is that many of the analogies can fall flat if you are not a Star Wars fan or don't know the franchise's backstory.

For those serious about threat modeling and developing secure systems and looking for an engaging and valuable book on the topic, Shostack is saying: security reader, I am your Jedi author.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

Risk Management & Governance

vulnerability assessment threat management threat intelligence threat visualization Threat Intelligence Services / Feed

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs