Threats

SECURE YOUR APPLICATIONS WITH HELP FROM YOUR FAVORITE JEDI MASTERSIn Threats: What Every Engineer Should Learn From Star Wars, accomplished security expert and educator Adam Shostack delivers an easy-to-read and engaging discussion of security threats and how to develop secure systems. The book will prepare you to take on the Dark Side as you learn—in a structured and memorable way—about the threats to your systems. You’ll move from thinking of security issues as clever one-offs and learn to see the patterns they follow. This book brings to light the burning questions software developers should be asking about securing systems, and answers them in a fun and entertaining way, incorporating cybersecurity lessons from the much-loved Star Wars series. You don’t need to be fluent in over 6 million forms of exploitation to face these threats with the steely calm of a Jedi master. You’ll also find:

* Understandable and memorable introductions to the most important threats that every engineer should know
* Straightforward software security frameworks that will help engineers bake security directly into their systems
* Strategies to align large teams to achieve application security in today’s fast-moving and agile world
* Strategies attackers use, like tampering, to interfere with the integrity of applications and systems, and the kill chains that combine these threats into fully executed campaigns

An indispensable resource for software developers and security engineers, Threats: What Every Engineer Should Learn From Star Wars belongs on the bookshelves of everyone delivering or operating technology: from engineers to executives responsible for shipping secure code. ADAM SHOSTACK is a technologist, entrepreneur, and game designer. One of the world’s leading experts on threat modeling, he wrote Threat Modeling: Designing for Security and is an Affiliate Professor at the University of Washington. He is a member of the BlackHat Review Board and the founder of Shostack + Associates, a specialized security consultancy dedicated to helping organizations deliver secure systems. Preface xi

Introduction xv

1 Spoofing and Authenticity 1

2 Tampering and Integrity 41

3 Repudiation and Proof 63

4 Information Disclosure and Confidentiality 95

5 Denial of Service and Availability 131

6 Expansion of Authority and Isolation 151

7 Predictability and Randomness 187

8 Parsing and Corruption 211

9 Kill Chains 249

Epilogue 291

Glossary 295

Bibliography 303

Story Index 317

Index 323