Threats : what every engineer should learn from star wars / Adam Shostack.

Format:

Book

Author/Creator:

Shostack, Adam, author.

Language:

English

Subjects (All):

Computer security.

Computer software--Development.

Computer software.

Star Wars films.

Physical Description:

1 online resource (354 pages)

Place of Publication:

Hoboken, NJ : John Wiley & Sons, Inc., [2023]

Summary:

Secure your applications with help from your favorite Jedi masters In Threats: What Every Engineer Should Learn From Star Wars, accomplished security expert and educator Adam Shostack delivers an easy-to-read and engaging discussion of security threats and how to develop secure systems. The book will prepare you to take on the Dark Side as you learn--in a structured and memorable way--about the threats to your systems. You'll move from thinking of security issues as clever one-offs and learn to see the patterns they follow. This book brings to light the burning questions software developers should be asking about securing systems, and answers them in a fun and entertaining way, incorporating cybersecurity lessons from the much-loved Star Wars series. You don't need to be fluent in over 6 million forms of exploitation to face these threats with the steely calm of a Jedi master. You'll also find: Understandable and memorable introductions to the most important threats that every engineer should know Straightforward software security frameworks that will help engineers bake security directly into their systems Strategies to align large teams to achieve application security in today's fast-moving and agile world Strategies attackers use, like tampering, to interfere with the integrity of applications and systems, and the kill chains that combine these threats into fully executed campaigns An indispensable resource for software developers and security engineers, Threats: What Every Engineer Should Learn From Star Wars belongs on the bookshelves of everyone delivering or operating technology: from engineers to executives responsible for shipping secure code.

Contents:

Cover

Title Page

Copyright Page

Contents

Preface

Introduction

Who This Book Is For

What You'll Gain from This Book

A Few Words for the Nonengineer

Security Terminology

How This Book Is Organized

Chapter 1 Spoofing and Authenticity

Identifiers and Authentication

Technical Identifiers

Human Identifiers

Authenticating People to People

Authenticating People to Computers

Authenticating Computers to People

Authenticating Computers to Computers

Spoofing Attacks

Spoofing Files

Spoofing Processes

Spoofing Machines

Spoofing in Specific Scenarios

Internet of Things

Mobile Phones

Cloud

Considerations in Authenticating to Organizations

Mechanisms for Spoofing Attacks

Misrepresentation

Attacks on Authentication Mechanisms

Threats Against Authentication Types

Defenses

Authenticating People

Authenticating Computers

Conclusion

Chapter 2 Tampering and Integrity

Targets of Tampering

Tampering with Storage

Tampering with Communications

Tampering with Time

Process Tampering

Tampering in Specific Technologies

Mechanisms for Tampering

Location for Tampering

Tools for Tampering

Cryptography

The Kernel

Detection

Chapter 3 Repudiation and Proof

The Threat: Repudiation

Message Repudiation

Fraud

Account Takeover

Logging Threats

Repudiation in Specific Technologies

Internet of Things (Including Phones)

AI/ML

Crypto and Blockchain

Repudiation Mechanisms

Keeping Logs

Using Logs

Antifraud Tools

Chapter 4 Information Disclosure and Confidentiality

Threats to Confidentiality

Information Disclosure, at Rest

Information Disclosure, in Motion.

Information Disclosure from a Process

Human Connections

Side Effects and Covert Channels

Information Disclosure Mechanisms

Information Disclosure with Specific Scenarios

Blockchain

Privacy

Operating System Defenses

Defending Your Process

Chapter 5 Denial of Service and Availability

Resources Consumed by Denial-of-Service Threats

Compute

Storage

Networks

Electrical Power

Money

Other Resources

Denial-of-Service Properties

Bespoke or Generalized

Amplification

Authentication Targets

Ephemeral or Persistent

Direct or Emergent

Denial of Service in Specific Technologies

Authentication Services

Protocol Design

IoT and Mobile

Abundance and Quotas

Graceful Degradation

Resilience Testing

Chapter 6 Expansion of Authority and Isolation

Expansion Mechanisms and Effects

Authority in Specific Scenarios

Confused Deputies

Mobile

Least Privilege and Separation of Privilege

Architecture as Barrier

Code as Barrier

Authority and Privilege

Access Control (Background)

Newer Approaches to Policy

Chapter 7 Predictability and Randomness

Predictability Threats

Guessing and Testing

Cryptographic Threats

Time and Timing Threats

Information Disclosure and Time

Predictability in Specific Scenarios

Network Traffic

Local System Threats

Business Processes

Preventing Races

Defenses Against Guessing and Searching

Usability

Assume Transparency

Chapter 8 Parsing and Corruption

What Is Parsing?

How Parsers Work

A "Bit" of Context

All Data Is Tainted

Threats to Parsers.

SQL Injection Example

Surprising Output

Overly Powerful Input

Denial-of-Service Threats to Parsers

Bad Advice

Chained Parsers

Specific Parsing Scenario Threats

Parsing Protocols + Document Formats

C Code + Memory Safety

The Robustness Principle

Input Validation

Memory Safety

LangSec

Chapter 9 Kill Chains

Threats: Kill Chains

Server Kill Chain

Desktop Kill Chains

Acquire or Use Credentials

Kill Chains for Specific Scenarios

IoT

Mobile (IoS, Android)

Weaponization as a Subchain

"No One Would Ever Do That"

Ransomware

Elements of Network Kill Chains

History

History of Kill Chains

Types of Defenses

Defensive Scenarios

Epilogue

Glossary

Bibliography

Story Index

Episode I: The Phantom Menace

Episode III: Revenge of the Sith

Obi-Wan (Television Series)

Rogue One

Star Wars: A New Hope

The Empire Strikes Back

Return of the Jedi

Index

EULA.

Notes:

Description based on print version record.

Includes bibliographical references (pages 303-316) and index.

Other Format:

Print version: Shostack, Adam Threats

ISBN:

9781119897699

1119897696

9781119895176

1119895170

OCLC:

1366221053