Tuesday, May 03, 2011

Book Review - "Threat Modeling" by Frank Swiderski and Window Snyder

Even though this book is from 2004, the method it describes for approaching security testing is sound. The basic method is:

  • Create a Threat Profile

    • Idendity Targets

    • Identify Entry/Exit Points

    • Build Models based on this data

  • Associate Risks with each Target

  • Determine how these risks will be tested

  • Perform tests and report results

  • Repeat

This book is an easy read and there is little technical knowledge that is required to be able to understand the concepts presented, which allows it to be technology-agnostic. However, you will need a bit more technical skill to be able to perform some of the analysis and testing that is described. The examples are helpful and provide a good guide on how do document the models.

I would recommend this book to anyone that is responsible for building, testing or responsible for the security of an application.

No comments: