Reddit reviews Threat Modeling: Designing for Security
We found 5 Reddit comments about Threat Modeling: Designing for Security. Here are the top ones, ranked by their Reddit score.
John Wiley Sons
I'm the manager of application security and research at a mid-level software vendor with over 400 developers and testers and I want to recommend you ignore all of the more generic advice currently in this thread. As someone with coding experience and interest, you have a unique path to infosec that so many companies want, but find it extremely difficult to hire for.
Any company that ships software has to consider the security of their application - full stop. Most rely on scanners or annual third-party vulnerability assessments for this, but obviously that falls short. They need people who can build security in from an architectural standpoint. Someone who can actually implement the fixes suggested by the above methods, and ideally, someone who can help implement security as an integral part of the SDLC instead of as a bolt-on premise.
My recommendation is to make your way through 24 Deadly Sins of Software Security and The Web Application Hacker's Handbook. If you can understand the bulk of concepts in these two books, you'll be leagues ahead of almost any developer you find yourself up against in a hiring scenario. For the coup de gras, learn about threat modeling. It's a great way to teach other developers and testers security and to build security into any system during design instead of post-release. Check out this book which is actually probably a little too comprehensive, use this card game from Microsoft (it seems silly, but I promise you it works), and watch this talk one of the guys on my team gave at BSides Cincinnati.
If you have any questions, PM me.
Really great book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=sr_1_1?ie=UTF8&qid=1506015037&sr=8-1&keywords=threat+modeling
I'd like to preface this by saying that I am certainly not the world's greatest security expert and that there are many people who are more qualified to speak to this matter. Hopefully some of them will see your post and chime in.
In my experience the less complex the product is, the easier it is to both maintain and secure. Therefore, knowing what you're building and how to build it gives you much better control over the security of it. Unless you're apart of an extremely tight-knit team that includes your SysOps and DevOps people or you're developing the product and the product's host environment by yourself, then there will always be aspects of security outside of your control. However, putting time and effort into the security of the product itself is typically a rewarding investment.
Books:
This book is focused on introducing security considerations into the phases of the SDLC. The information in this book is a bit more advanced than Security Software (included below) but not inaccessible to a beginner. Understanding architectural risk analysis is a valuable skill in any tech environment.
I would say this book is a must-have if you develop any sort of Java web app or API. The authors manage to cover a lot of territory in a very understandable format.
Another book that is primarily aimed at introducing security into each phase of the SDLC. When I first started working in software development I found it extremely helpful at convincing some "old guard" types why red teaming products is extremely valuable. You may want to read this before reading Threat Modeling.
Networking is definitely not my strongest skill but this book breaks down some concepts of network monitoring and threat detection in ways that are easy to understand.
I don't know if there exist threat modeling for a single person but usually most of the materials online are at enterprise level or something to that level. Like those of certification materials Security+ and CEH v9 or other similar courses. It can somewhat give you an idea how you want to determine your threat model.
For courses, I like Nathan House's stuff from Udemy.
There are as well books that cover those topics but the pages can range around 200 to over 600 of pages. E.g. The Basics of Cyber Safety has 254 pages and Threat Modeling: Designing for Security has 624 pages.
You can check those also:
https://en.wikipedia.org/wiki/Threat_model
https://en.wikipedia.org/wiki/Threat_%28computer%29#Threat_model
Otherwise see conferences like DEF CON, Black Hat, CCC and similar topics. Here's my give away:
I hope that helps.
There's also a book https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998