Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis PDF
Preview Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis
RISK CENTRIC THREAT MODELING RISK CENTRIC THREAT MODELING Process for Attack Simulation and Threat Analysis TONYUCEDAVÉLEZANDMARCOM.MORANA Copyright©2015byJohnWiley&Sons,Inc.Allrightsreserved PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJersey PublishedsimultaneouslyinCanada Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformor byanymeans,electronic,mechanical,photocopying,recording,scanning,orotherwise,exceptas permittedunderSection107or108ofthe1976UnitedStatesCopyrightAct,withouteithertheprior writtenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeeto theCopyrightClearanceCenter,Inc.,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax (978)750-4470,oronthewebatwww.copyright.com.RequeststothePublisherforpermissionshould beaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ 07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions. LimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveusedtheirbesteffortsin preparingthisbook,theymakenorepresentationsorwarrantieswithrespecttotheaccuracyor completenessofthecontentsofthisbookandspecificallydisclaimanyimpliedwarrantiesof merchantabilityorfitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysales representativesorwrittensalesmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitable foryoursituation.Youshouldconsultwithaprofessionalwhereappropriate.Neitherthepublishernor authorshallbeliableforanylossofprofitoranyothercommercialdamages,includingbutnotlimitedto special,incidental,consequential,orotherdamages. Forgeneralinformationonourotherproductsandservicesorfortechnicalsupport,pleasecontactour CustomerCareDepartmentwithintheUnitedStatesat(800)762-2974,outsidetheUnitedStatesat (317)572-3993orfax(317)572-4002. Wileyalsopublishesitsbooksinavarietyofelectronicformats.Somecontentthatappearsinprintmay notbeavailableinelectronicformats.FormoreinformationaboutWileyproducts,visitourwebsiteat www.wiley.com. LibraryofCongressCataloging-in-PublicationData: TonyUcedaVélez RiskCentricThreatModeling:processforattacksimulationandthreatanalysis/TonyUcedaVélez, MarcoM.Morana pagescm Summary:“Thisbookdescribeshowtoapplyapplicationthreatmodelingasanadvancedpreventive formofsecurity”–Providedbypublisher. Includesbibliographicalreferencesandindex. ISBN978-0-470-50096-5(hardback) 1. Dataprotection.2. Computersecurity.3. Managementinformationsystems–Securitymeasures. 4. Computernetworks–Securitymeasures.5. Riskassessment.I.UcedaVélez,Tony,1976-II.Title. HF5548.37.M672015 658.4′7011–dc23 2015000692 CoverImage:CourtesyofFromoldBooks,http://www.fromoldbooks.org/ Typesetin10pt/12ptTimesLTStdbySPiGlobal,Chennai,India PrintedintheUnitedStatesofAmerica 10987654321 1 2015 ToSuzanne,mypatientandlovingwife,whosupportedmethroughoutthefiveyears ofwritingandresearch;thankyouforyourpatienceandendlesssupport.–Marco ToHeidi,Simon,Serina,Sofia,Samson.ForallthesoccerballsImissedtokickin thebackyard,theteatimesIfailedtositin,andthedatenightsIcouldn’tmakedue tofulfillingthisproject,thisisforyou.Deogratias.DeusluxMea.–Tony SpecialthankstoSarahVarnellandCaitlynPatterson(VerSprite)foralloftheir review,edits,andwritingguidance. CONTENTS Foreword ix Preface xv ListofFigures xvii ListofTables xxiii 1 ThreatModelingOverview 1 Definitions, 1 OriginsandUse, 3 Summary, 8 RationaleandEvolutionofSecurityAnalysis, 9 Summary, 19 BuildingABetterRiskModel, 19 Summary, 31 ThreatAnatomy, 33 Summary, 48 CrowdsourcingRiskAnalytics, 48 2 ObjectivesandBenefitsofThreatModeling 63 DefiningaRiskMitigationStrategy, 63 ImprovingApplicationSecurity, 82 BuildingSecurityintheSoftwareDevelopmentLifeCycle, 92 viii CONTENTS IdentifyingApplicationVulnerabilitiesandDesignFlaws, 104 AnalyzingApplicationSecurityRisks, 118 3 ExistingThreatModelingApproaches 137 Security,Software,Risk-BasedVariants, 137 4 ThreatModelingWithintheSDLC 195 BuildingSecurityinSDLCwithThreatModeling, 195 IntegratingThreatModelingWithinTheDifferentTypesofSDLCs, 205 5 ThreatModelingandRiskManagement 235 DataBreachIncidentsandLessonsforRiskManagement, 235 ThreatsandRiskAnalysis, 259 Risk-BasedThreatModeling, 282 ThreatModelinginInformationSecurityandRisk ManagementProcesses, 289 ThreatModelingWithinSecurityIncidentResponseProcesses, 306 6 IntrotoPASTA 317 Risk-CentricThreatModeling, 317 7 DivingDeeperintoPASTA 343 ExploringtheSevenStagesandEmbeddedThreatModelingActivities, 343 ChapterSummary, 478 8 PASTAUseCase 479 PASTAUseCaseExampleWalk-Through, 479 Glossary 633 References 653 Index 657
Description:The list of books you might like
