Repeat after me: Model your security threats first

Roger A. Grimes

You'll also find discussions about cloud threats, privacy exploits, and identity lifecycles. If you're in charge of threat modeling at your company, you're no doubt actively worrying about all three topics.

Clearly, Adam has been there and done that -- not just at a defender-versus-attacker tactical level, but in trying to implement threat modeling at an enterprise level. It's easy to model threats to a single program or process, but it's a lot harder to make it a part of an organization's DNA. The book helps by offering chapters dedicated to the success of enterprise implementations, including strategies, tools, and politics.

Most security professionals have a shortlist of people whom they admire as extraordinary teachers of computer security best practices, one that includes such luminaries as Bruce Schneier, Brian Krebs (who is having a movie made about him now), and Stephen Northcutt (of SANS). Add Adam Shostack's name to your list. He gets it right.

Source: InfoWorld

Previous Page  1  2