Buy Used
CDN$ 0.01
+ CDN$ 6.49 shipping
Used: Very Good | Details
Condition: Used: Very Good
Comment: All items ship from the USA.  Arrival time is usually 2-3 weeks.  Appearance of only slight previous use. Cover and binding show a little wear. All pages are undamaged with potentially only a few, small markings. Save a tree, buy from Green Earth Books. All books guaranteed. Read. Recycle. Reuse.
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Threat Modeling Paperback – Jun 25 2004

See all formats and editions Hide other formats and editions
Amazon Price
New from Used from
"Please retry"
CDN$ 90.21 CDN$ 0.01

Harry Potter and the Cursed Child
click to open popover

No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.
Getting the download link through email is temporarily not available. Please check back later.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your mobile phone number.

Product Details

  • Paperback: 288 pages
  • Publisher: Microsoft Press; 1 edition (June 25 2004)
  • Language: English
  • ISBN-10: 0735619913
  • ISBN-13: 978-0735619913
  • Product Dimensions: 18.6 x 2.2 x 22.9 cm
  • Shipping Weight: 340 g
  • Average Customer Review: Be the first to review this item
  • Amazon Bestsellers Rank: #741,377 in Books (See Top 100 in Books)
  •  Would you like to update product info, give feedback on images, or tell us about a lower price?

  • See Complete Table of Contents

Product Description

About the Author

Frank Swiderski is a Software Security Engineer at Microsoft® and is responsible for helping Microsoft product teams evaluate the impact of threats to their product or component. He has specialized in application security for several years, including serving as a managing security architect for @stake, a leading digital security consulting firm.

Window Snyder is a program manager for the Microsoft® Secure Windows® Initiative Team. She is the former director of Security Architecture for @stake, and has dedicated eight years to the security industry as a consultant and as a software engineer.

Customer Reviews

There are no customer reviews yet on
5 star
4 star
3 star
2 star
1 star

Most Helpful Customer Reviews on (beta) HASH(0xb39ebf30) out of 5 stars 8 reviews
31 of 32 people found the following review helpful
HASH(0xb4513da4) out of 5 stars Comprehensive, but stodgy and full of unnecessary filler Oct. 3 2004
By D. Brankin - Published on
Format: Paperback
In my review Thread Modeling (spelt with captials) refers to the book, thread modeling (spelt without capitals) refers to the subject.

Open the cover of this book and the first thing you see in large, bold print is `Reviewer Acclaim for Frank Swiderski, Window Snyder, and Threat Modeling'. I doubt that I'm the only one to notice that ALL the quotes are from current Microsoft employees! Look further and you notice that the content stops and the appendixes start on page 173 (of a 259 page book).

Considering that Chapter 4 of Writing Secure Code 2nd Edition does a much better job or covering threat modeling, you have to wonder what sort of padding is going on to fill 172 pages. In fact, I have to say the signal to noise ratio of this book isn't very good at all - unless you are interested in applying threat modeling to the security of your home or touch-tone telephone system!

If you know anything about threat modeling already, you'll also want to know why all (and I mean ALL - no exceptions) of the threat diagrams in this book show a DREAD score of 0 - why wasn't somebody proof reading this stuff? I don't expect to have to wait long before hearing "MS don't take security seriously - in their latest book they've rated [insert favorite threat here] a 0!"

The diagrams in Threat Modeling are also unnecessarily harder to read than the diagrams in Writing Secure Code. Threat Modeling uses the same square boxes for unmitigated conditions and mitigated conditions. This makes it impossible to tell at a glance whether a threat is outstanding or not. Writing Secure Code's use of circles for Mitigated / Resolved conditions at the leaf of the tree made it easy. I also miss Writing Secure Code's use of dotted lines to indicate unlikely attack paths.

Threat Modeling is not without some redeeming features. The idea and reasons for reducing the DREAD range from 1-10 to 1-3 is a welcome refinement and non-programmers may find the wealth of non-relevant examples helpful in assimilating the underlying concepts. Threat Modeling also covers DFDs (Data Flow Diagrams) which Writing Secure Code regrettably does not.

Threat Modeling is not a complete waste of space. It covers the material it sets out to cover and you should have no trouble producing threat models are reading this book. But if you only have time to read (or the money to buy) one MS security book, you won't regret making it Writing Secure Code instead.
11 of 11 people found the following review helpful
HASH(0xb319115c) out of 5 stars lots of good ideas, lots of annoying flaws Oct. 15 2004
By Alton Naur - Published on
Format: Paperback
This was a very frustrating book to read. It appears to be targeted to a very specific type of reader, yet this reader isn't well described. It exists in a disciplinary vacuum; there are only two references; one of them is to the excellent Howard/LeBlanc "Writing Secure Code", the other is to a book written ten years ago. If you have to ask "what is UML and why is it important?", this book won't help.

On the other hand, if you're a member of a large software development team using formal design methods, this book will give you a workable approach to making sure that the security aspects of your project are comprehensively addressed.

There are two serious defects in the approach described by Swiderski and Snyder. The first is that their approach has serious scalability problems. Like nearly all software modeling methods, it's based on drawing pictures and making lists that must be manually collated and organized. (...)

The other defect in the book is its assumption that "an adversary will not attack the system without assets of interest." In fact, the vast majority of attacks these days are blind attacks from viruses and worms that attempt to invade any host they can gain access to, regardless of the value of any assets it may contain or represent. This fact requires the designer/defender to exhaustively address all possible vulnerabilities, not just the important ones. Managing the enormous list of possible attacks against possible vulnerabilities makes scalability a critical issue.

The threat modeling approach is probably the best one available for identifying security issues that must be addressed in a software system, but its current state is far from satisfactory.
6 of 6 people found the following review helpful
HASH(0xb4514908) out of 5 stars Good coverage of the material, but far too redundant July 7 2005
By Heath Stewart - Published on
Format: Paperback
The book is short at only a 169 pages but it could be shorter. My biggest complaint with this book is that it's incredibly redundant. The first two chapters are spent discussing why threat modeling is important. It is a valid point, as many people may be wondering why threat modeling is important or even what it is. Two chapters may be a little extensive, though, and constantly repeat the same ideas.

Page 13 of the introduction does make a statement that might help in avoiding much of this redundancy:

"Development team members who want to skim this book for an overview should look at Chapter 2, which describes the overall threat modeling process. Chapters 3 and 5 will also be valuable to those looking for shortcuts because they describe entry points, assets, and the threat profile. Chapter 4 describes bounding the threat modeling discussion. The rest of the chapters, which flesh out the threat modeling process, will be most important for a project's security process manager."

I, of course, read the whole thing. So, some redundancy is warranted, since this book itself implies that it is a sort of reference book. But even consecutive sections within the aforementioned chapters repeat the same statements. There is a difference between driving a point home and driving your reader crazy.

I would also add that - if you are going to use the book as a reference - you take a look at Part 4 - appendices A, B, and C - which are entire threat model documents for the three example features used throughout the book.

This book is a good book for anyone in software design and development to understand how to write secure software. Every entry and exit point is a threat, and unmitigated threats are vulnerabilities. Feature- and program-level threat modeling can help to mitigate those threats by identifying use cases and non-use cases for those entry points, roles accessing those entry points, threats associated with those entry points using the STRIDE classification (Spoofing, Tampering, Repudiation, Denial of service, and Elevation of privilege), the risk a threat poses using a DREAD rank (Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability), and internal and external notes about the threats. The book also points out that a threat model document is a living document, meaning that it should be kept current as the design of the feature or program changes.

-- Excerpt copied from my blog.
4 of 4 people found the following review helpful
HASH(0xb3192330) out of 5 stars A practical method for doing Threat Modeling June 24 2005
By Amazon Customer - Published on
Format: Paperback
This book describes one method to do Threat Modeling. There are many methods to do threat modeling, and the main objectives and meta-objectives such an exercise has are:

1) Avoid analysis paralysis.

2) Find a way of modeling your security as faithfully as possible.

3) Document interesting information that could influence your security.

4) Based on all the above make sure your system is managing its security properly.

The book presents an approach which is coherent, not always easy, as developing either a threat tree or the right DFD are no easy tasks, but yet one way.

It is imporant to note that the model presented works mostly for applications; not for drivers.
HASH(0xb31924e0) out of 5 stars Multiple reading issues Oct. 12 2011
By Cristian Rojas - Published on
Format: Kindle Edition Verified Purchase
Content is very interesting, but reading is laggy, a little boring, and the e-book itself has issues. Some words glue together at small font sizes, and tables are lacking (Entry Points, Assets, etc). Needs to improve.