Ishan Girdhar
Collective Wisodm

Threat Modeling Designing For Security by Adam Shostack

Anyone can learn to Threat Model. Threat Modelling is as fundamental as version control. Threat Modelling helps you look at the big picture. You can threat model almost anything from a piece of software to a business and all the way to a country's economy.
Ishan Girdhar 7 min read
Threat Modeling Designing For Security by Adam Shostack
This summary is a work in progress. Every time I pick up the book, I find some insight that I haven't pondered on previously and was hiding in plain sight.

My goal is to keep updating this summary as I continue to uncover valuable insights in this book.
Threat Modelling Designing for Security by Adam Shostack


  • Anyone can learn to Threat Model. Threat Modelling is as fundamental as version control.
  • Threat Modelling helps you look at the big picture. You can threat model almost anything from a piece of software to a business and all the way to a country's economy.
  • The book is a comprehensive guide to threat modeling, a proactive strategy for improving security by identifying and mitigating potential threats and vulnerabilities in software, systems, networks, or business processes.
  • The book explains what threat modeling is, why it is important, how to do it, and what tools and techniques can help.
  • The book covers various threat modeling approaches, such as asset-centric, attacker-centric, and software-centric, and provides a framework for structured thinking about what can go wrong and how to prevent or reduce it.
  • The book also offers practical advice on how to test designs against threats, how to address threats that have been validated at Microsoft and other top companies, and how to communicate and document threat models.
  • The book is aimed at security and software developers who need to design secure products and systems and test their designs, as well as security professionals who want to learn how to discern changing threats and adopt a structured approach to threat modeling.
  • The book is based on the author’s extensive experience as a threat modeling expert at Microsoft and elsewhere and includes real-world examples and case studies.
  • The book is not tied to any specific software, operating system, or programming language but rather provides general principles and best practices that can be applied to any context.
  • The book is one of the most prominent and authoritative books on threat modeling and has been chosen as a Dr. Dobbs Jolt Award Finalist.

About the Author

Adam Shostack (Looking at the camera)

Adam Shostack is a leading expert on threat modeling, a consultant, an expert witness, an author, and a game designer.

  • He has decades of experience in delivering security, ranging from founding startups to working at Microsoft.
  • He helped create the CVE (Common Vulnerabilities and Exposures) and fixed autorun for hundreds of millions of systems.
  • He led the design and delivery of the Microsoft SDL Threat Modeling Tool and created the Elevation of Privilege threat modeling game.
  • He wrote Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn from Star Wars.
  • He co-authored The New School of Information Security.
  • He is an affiliate professor at the University of Washington and a member of the Blackhat Review Board.
  • He also serves as an advisor to various companies and academic institutions

Chapterwise Summary

Chapter 1: Dive In and Threat Model!

  • This chapter introduces the concept of threat modeling and explains why it is important for security.
  • It also provides a simple example of threat modeling a web application and gives some checklists for getting started with threat modeling.

Chapter 2: Strategies for Threat Modeling

  • This chapter explores different ways of approaching threat modeling, such as asking, “What’s your threat model?”, brainstorming threats, using structured methods, and modeling software.
  • It also discusses the trade-offs and benefits of each approach.

Chapter 3: STRIDE

This chapter explains the STRIDE model, which is a mnemonic for six types of threats:

  1. Spoofing,
  2. Tampering,
  3. Repudiation,
  4. Information Disclosure,
  5. Denial of Service, and
  6. Elevation of Privilege.

It also shows how to apply STRIDE to different elements of a system and gives an extended example of using STRIDE to analyze a database system.

Chapter 4: Attack Trees

  • This chapter introduces attack trees, which are graphical representations of how an attacker can achieve a goal.
  • It shows how to create and use attack trees to model threats and analyze their likelihood and impact.
  • It also discusses some real-world examples of attack trees and their limitations.

Chapter 5: Attack Libraries

  • This chapter describes attack libraries, which are collections of common or known attacks that can be used as references or sources of inspiration for threat modeling.
  • It explains the properties and benefits of attack libraries and gives some examples of existing attack libraries for different domains and technologies.

Chapter 6: Privacy Tools for Threat Modeling

  • This chapter focuses on privacy issues and how to address them in threat modeling.
  • It presents some privacy tools, such as privacy principles, privacy patterns, privacy impact assessments, and data flow diagrams.
  • It also gives some examples of privacy threats and mitigations for different scenarios.

Chapter 7: Mitigations and Countermeasures

  • This chapter discusses how to deal with the threats that have been identified in threat modeling.
  • It explains the difference between mitigations and countermeasures and provides some guidelines and examples for choosing and applying them.
  • It also introduces some security principles and patterns that can help design secure systems.

Chapter 8: Using Patterns and Principles to Address Threats

  • This chapter expands on the topic of security principles and patterns and shows how they can be used to address threats in a systematic way.
  • It covers some common security principles, such as least privilege, defense in depth, fail-safe defaults, etc., and some security patterns, such as authentication, authorization, encryption, etc.
  • It also gives some examples of applying these principles and patterns to different scenarios.

Chapter 9: Validating That Mitigations Are Effective

  • This chapter explains how to test and verify that the mitigations and countermeasures that have been applied are effective in reducing or eliminating threats.
  • It covers some methods and techniques for validating mitigations, such as testing tools, code reviews, penetration testing, etc.
  • It also discusses some challenges and best practices for validation.

Chapter 10: The Security Development Lifecycle at Microsoft

  • This chapter describes the Security Development Lifecycle (SDL), which is a process that Microsoft uses to integrate security into its software development projects.
  • It explains the goals, phases, activities, roles, and deliverables of the SDL and how it incorporates threat modeling as a core element.
  • It also gives some examples of how the SDL has improved Microsoft’s security outcomes.

Chapter 11: The Security Development Lifecycle at Other Organizations

  • This chapter presents some case studies of how other organizations have adopted or adapted the SDL or similar processes to improve their security practices.
  • It covers some examples from different industries and sectors, such as healthcare, finance, government, etc., and highlights some lessons learned and best practices from each case study.

Chapter 12: Threat Modeling Tools and Resources

  • This chapter introduces some tools and resources that can help with threat modeling tasks. It covers some tools that can automate or assist with creating threat models, such as the Microsoft Threat Modeling Tool (TMT), Elevation of Privilege (EoP) card game, etc.
  • It also provides some references and links to other sources of information on threat modeling topics.

Chapter 13: Threat Modeling and Agile Development

  • This chapter explores the relationship between threat modeling and agile development methodologies, such as Scrum or Kanban. It discusses some challenges and benefits of

Chapter 14: Communicating About Your Threat Model

  • This chapter explains how to communicate effectively about the threat model and its results to different audiences and stakeholders, such as developers, managers, customers, etc.
  • It covers some methods and techniques for presenting and documenting the threat model, such as diagrams, reports, stories, etc.
  • It also discusses some challenges and best practices for communication.

Chapter 15: Measuring Your Threat Modeling Process

  • This chapter discusses how to measure and evaluate the performance and effectiveness of the threat modeling process and its outcomes.
  • It covers some metrics and indicators that can be used to assess the quality and impact of threat modeling, such as coverage, accuracy, efficiency, etc.
  • It also provides some examples and guidance on how to collect and analyze data and report findings.

Chapter 16: Learning from Your Mistakes and Successes

  • This chapter emphasizes the importance of learning from the experience of threat modeling and improving the process and skills over time.
  • It covers some methods and techniques for capturing and sharing lessons learned, such as feedback loops, retrospectives, postmortems, etc.
  • It also provides some tips and suggestions for enhancing threat modeling capabilities and competencies.

Chapter 17: Organizational Culture and Its Impact on Threat Modeling

  • This chapter explores how organizational culture and context can influence the adoption and implementation of threat modeling practices.
  • It covers some factors and dimensions that can affect the culture of security, such as values, beliefs, norms, incentives, etc.
  • It also provides some examples and recommendations on how to foster a positive security culture that supports threat modeling.

Chapter 18: Managing a Portfolio of Threat Models

  • This chapter addresses the challenges and opportunities of managing multiple threat models across different projects or products within an organization.
  • It covers some methods and techniques for organizing and maintaining a portfolio of threat models, such as repositories, libraries, templates, etc.
  • It also discusses some issues and trade-offs of scaling up threat modeling efforts.

Chapter 19: A Career in Threat Modeling

  • This chapter provides some insights and advice on how to pursue a career in threat modeling or related fields.
  • It covers some skills and qualifications that are required or desirable for threat modeling professionals, such as technical knowledge, analytical thinking, communication skills, etc.
  • It also provides some resources and tips on how to find or create opportunities for learning and growth in threat modeling.


The Ultimate Beginner’s Guide to Threat Modeling
Threat modeling is a family of structured, repeatable processes that allows you to make rational decisions to secure applications, software, and systems.

Adam Shostack offers comprehensive courses in various depths, which are available here.

Shostack + Associates offers a variety of threat modeling courses, with options ranging from Linkedin Learning through highly customized live instruction experiences.

More from Ishan Girdhar
Table of Contents

"Brain on Security" Newsletter

18+ hours of reading & analysis distilled into a 10-Minute Summary Monthly.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Ishan Girdhar.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.