The listings featured on this site are from companies from which this site receives compensation. This influences: Appearance, order, and manner in which these listings are presented.
Disclosure:
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers. These take into consideration the reviewers’ independent and professional examination of the products/services.

Ownership

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Reviews Guidelines

The reviews published on vpnMentor are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

Threat Modeling by Adam Shostack - Free Chapter Included

Threat Modeling by Adam Shostack - Free Chapter Included

Author Image Sarit Newman
Sarit Newman Updated on 21st July 2023 Internet Security Researcher

Threat Modeling is an explanatory book by Adam Shostack that teaches the various methods and ways to successfully threat model. We sat with him to talk about his book and he gave a sneak preview to the first chapter.

Back in 2014, Adam Shostack – a program manager and security developer for Microsoft – published a book on threat modeling. His book, which is available in Kindle and paperback, explains how to optimize network security for software developers, security managers, and security professionals.  

We had a discussion with him, addressing his book and the importance of threat modeling

vpnMentor: What made you write Threat Modeling?

Shostack: I wrote Threat Modeling because threat modeling is at the core of my security career.  I have watched so many people struggle to create threat models, even mediocre ones, and I figured there was a better way to teach it.  We security folks learn by doing, by action, by apprenticeship, but a lot of what we're taught to do goes untested.

When threat modeling, should you focus on assets? No, it's a trap. What about focusing on thinking like an attacker? Also a trap. The system catches normal, well-meaning engineers trying to do the right thing, but they aren't successful. It got to the point where even speaking with these engineers for an hour about what to do and what not to do wasn't sufficient, so I decided to write a book about it.

vpnMentor:  What new knowledge did you gain while writing this book?

The biggest thing I learned in writing the book was just how big threat modeling is. There are ways to think about what you're working on, what can go wrong, what to do about it, or if you did a good job.

Writing a book on threat modeling is like writing a book on all of programming. In programming, there are languages, like Perl or Haskel or even Excel, and there are methods to do it, from copying and pasting to StackOverflow to very formal engineering approaches. There are stages from concept to implementation, to testing and deployment. I had to fit all that into one book! But at the core of threat modeling are four questions:

(1) What are we working on?

(2) What can go wrong?

(3) What are we going to do about it?

(4) Did we do a good job?

I hope sharing these focus points will help others successfully threat model.

Threat Modeling: Designing for Security is available for purchase on Amazon. Click on the link below to read the first chapter. 

Click here to read a chapter from Adam's book!

Privacy Alert!

Your data is exposed to the websites you visit!

Your IP Address:

Your Location:

Your Internet Provider:

The information above can be used to track you, target you for ads, and monitor what you do online.

VPNs can help you hide this information from websites so that you are protected at all times. We recommend ExpressVPN — the #1 VPN out of over 350 providers we've tested. It has military-grade encryption and privacy features that will ensure your digital security, plus — it's currently offering 49% off.

Visit ExpressVPN

About the Author

Sarit is an experienced internet security writer who believes everyone has the right to online privacy.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback