Threat Modeling Gameplay with EoP
Coming soon to a bookshelf near you, Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architecture
This is a new book I have written. It’s a Threat Modeling reference manual for playing Elevation of Privilege. It aims to make Threat Modeling fun and accessible to everyone creating software and hardware by explaining how to play the game and giving examples of what a threat looks like in a real-world situation to help spot them in your solutions. Covering threats from the following categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege, Privacy, Transfer, Retention/Removal and Minimization.
You can pre-order now on Amazon, the kindle book will be available in September and the paperback will be out in October.
Enjoy!
What it’s all about
More and more we hear about data breaches, malware, vulnerabilities and cyber-attacks in general. Instead of fighting fires, let’s prevent them and make our products fireproof. Threat Modeling is a technique used to discover what threats a piece of software or even hardware may be susceptible to, and to protect against those threats building security right into the design of the system.
Engineering teams need to be conscious of these threats and understand their implications as well as how to protect against them. The Elevation of Privilege card game makes the Threat Modeling process engaging, it offers prompts supplying potential threats that engineers should be looking for. Sometimes though it can be hard to grasp the concept behind a threat and understand exactly how a threat might manifest itself in a real-world situation. This book attempts to pull down that barrier and help anyone new to threat modeling with concrete examples that give you an indication of what to look for. The list of examples is by no means exhaustive, but it is there to help the reader identify similar types of issues within their own products.
At least one example is given for each card in the Elevation of Privilege deck, which includes a suit for each of the threat categories in the S.T.R.I.D.E. threat modeling methodology. You’ll find over 150 examples in all. The book also covers the Privacy suit, and the Elevation of Privacy extension to the game T.R.I.M.
S.T.R.I.D.E stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege. T.R.I.M. stands for Transfer, Retention/Removal, Inference and Minimization. After reading the book you will not only be familiar with each of these terms but will also be able to spot issues relating to them in software and hardware alike.
In addition, for each example there are references where the reader can dive into more detail about a particular type of threat and numerous potential mitigations/protections they can put in place to stop or reduce the risk of the threat in the first place.
What you will learn
- Understand the Elevation of Privilege card game mechanics
- Get to grips with the S.T.R.I.D.E. threat modeling methodology
- Explore the Privacy and T.R.I.M. extensions to the game
- Identify threat manifestations described in the games
- Implement robust security measures to defend the identified threats
- Comprehend key points of Privacy frameworks, such as GDPR to ensure compliance
Who this book is for
This book serves as both a reference and support material for security professionals and privacy engineers, aiding in facilitation or participation in threat modeling sessions. It is also a valuable resource for software engineers, architects, and product managers, providing concrete examples of threats to enhance threat modeling and develop more secure software designs. Furthermore, it is suitable for students and engineers aspiring to pursue a career in application security. Familiarity with general IT concepts and business processes is expected. Enjoy the game, try threat modeling some software you use or create. Explore the threats in the book and learn how to protect against them and let’s make the digital world a little safer one mitigation at a time.