Secure your applications with help from your favorite Jedi masters In Threats: What Every Engineer Should Learn From Star Wars, accomplished security expert and educator Adam Shostack delivers an easy-to-read and engaging discussion of security threats and how to develop secure systems. The book will prepare you to take on the Dark Side as you learn—in a structured and memorable way—about the threats to your systems. You’ll move from thinking of security issues as clever one-offs and learn to see the patterns they follow. This book brings to light the burning questions software developers should be asking about securing systems, and answers them in a fun and entertaining way, incorporating cybersecurity lessons from the much-loved Star Wars series. You don’t need to be fluent in over 6 million forms of exploitation to face these threats with the steely calm of a Jedi master. You’ll also find: Understandable and memorable introductions to the most important threats that every engineer should know Straightforward software security frameworks that will help engineers bake security directly into their systems Strategies to align large teams to achieve application security in today’s fast-moving and agile world Strategies attackers use, like tampering, to interfere with the integrity of applications and systems, and the kill chains that combine these threats into fully executed campaigns An indispensable resource for software developers and security engineers, Threats: What Every Engineer Should Learn From Star Wars belongs on the bookshelves of everyone delivering or operating technology: from engineers to executives responsible for shipping secure code.
Author(s): Adam Shostack
Edition: 1
Publisher: Wiley
Year: 2023
Language: English
Pages: 355
Cover
Title Page
Copyright Page
Contents
Preface
Introduction
Who This Book Is For
What You’ll Gain from This Book
A Few Words for the Nonengineer
Security Terminology
How This Book Is Organized
Chapter 1 Spoofing and Authenticity
Identifiers and Authentication
Technical Identifiers
Human Identifiers
Authenticating People to People
Authenticating People to Computers
Authenticating Computers to People
Authenticating Computers to Computers
Spoofing Attacks
Spoofing Files
Spoofing Processes
Spoofing Machines
Spoofing in Specific Scenarios
Internet of Things
Mobile Phones
Cloud
Considerations in Authenticating to Organizations
Mechanisms for Spoofing Attacks
Misrepresentation
Attacks on Authentication Mechanisms
Threats Against Authentication Types
Defenses
Authenticating People
Authenticating Computers
Conclusion
Chapter 2 Tampering and Integrity
Introduction
Targets of Tampering
Tampering with Storage
Tampering with Communications
Tampering with Time
Process Tampering
Tampering in Specific Technologies
Mechanisms for Tampering
Location for Tampering
Tools for Tampering
Defenses
Cryptography
The Kernel
Detection
Conclusion
Chapter 3 Repudiation and Proof
Introduction
The Threat: Repudiation
Message Repudiation
Fraud
Account Takeover
Logging Threats
Repudiation in Specific Technologies
Internet of Things (Including Phones)
Cloud
AI/ML
Crypto and Blockchain
Repudiation Mechanisms
Defenses
Cryptography
Keeping Logs
Using Logs
Antifraud Tools
Conclusion
Chapter 4 Information Disclosure and Confidentiality
Threats to Confidentiality
Information Disclosure, at Rest
Information Disclosure, in Motion
Information Disclosure from a Process
Human Connections
Side Effects and Covert Channels
Information Disclosure Mechanisms
Information Disclosure with Specific Scenarios
Internet of Things
Mobile Phones
Cloud
AI/ML
Blockchain
Privacy
Defenses
Operating System Defenses
Defending Your Process
Cryptography
Conclusion
Chapter 5 Denial of Service and Availability
Resources Consumed by Denial-of-Service Threats
Compute
Storage
Networks
Electrical Power
Money
Other Resources
Denial-of-Service Properties
Bespoke or Generalized
Amplification
Authentication Targets
Ephemeral or Persistent
Direct or Emergent
Denial of Service in Specific Technologies
Authentication Services
Cloud
Protocol Design
IoT and Mobile
Defenses
Abundance and Quotas
Graceful Degradation
Resilience Testing
Conclusion
Chapter 6 Expansion of Authority and Isolation
Expansion Mechanisms and Effects
Authority in Specific Scenarios
Confused Deputies
Internet of Things
Mobile
Cloud
Defenses
Least Privilege and Separation of Privilege
Architecture as Barrier
Code as Barrier
Authority and Privilege
Access Control (Background)
Newer Approaches to Policy
Conclusion
Chapter 7 Predictability and Randomness
Predictability Threats
Guessing and Testing
Cryptographic Threats
Time and Timing Threats
Information Disclosure and Time
Tampering with Time
Predictability in Specific Scenarios
Network Traffic
Local System Threats
Business Processes
Defenses
Preventing Races
Defenses Against Guessing and Searching
Usability
Assume Transparency
Conclusion
Chapter 8 Parsing and Corruption
What Is Parsing?
How Parsers Work
A “Bit” of Context
All Data Is Tainted
Threats to Parsers
SQL Injection Example
Surprising Output
Overly Powerful Input
Denial-of-Service Threats to Parsers
Bad Advice
Chained Parsers
Specific Parsing Scenario Threats
Parsing Protocols + Document Formats
C Code + Memory Safety
Defenses
The Robustness Principle
Input Validation
Memory Safety
LangSec
Conclusion
Chapter 9 Kill Chains
Threats: Kill Chains
Server Kill Chain
Desktop Kill Chains
Acquire or Use Credentials
Kill Chains for Specific Scenarios
Cloud
IoT
Mobile (IoS, Android)
Weaponization as a Subchain
“No One Would Ever Do That”
Ransomware
Elements of Network Kill Chains
History
History of Kill Chains
Defenses
Types of Defenses
Defensive Scenarios
Conclusion
Epilogue
Glossary
Bibliography
Story Index
Episode I: The Phantom Menace
Episode III: Revenge of the Sith
Obi-Wan (Television Series)
Rogue One
Star Wars: A New Hope
The Empire Strikes Back
Return of the Jedi
Index
EULA
