What do you think?
Rate this book
Threats: What Every Engineer Should Learn From Star Wars
Secure your applications with help from your favorite Jedi masters In What Every Engineer Should Learn From Star Wars , accomplished security expert and educator Adam Shostack delivers an easy-to-read and engaging discussion of security threats and how to develop secure systems. The book will prepare you to take on the Dark Side as you learn―in a structured and memorable way―about the threats to your systems. You’ll move from thinking of security issues as clever one-offs and learn to see the patterns they follow. This book brings to light the burning questions software developers should be asking about securing systems, and answers them in a fun and entertaining way, incorporating cybersecurity lessons from the much-loved Star Wars series. You don’t need to be fluent in over 6 million forms of exploitation to face these threats with the steely calm of a Jedi master. You’ll also An indispensable resource for software developers and security engineers, What Every Engineer Should Learn From Star Wars belongs on the bookshelves of everyone delivering or operating from engineers to executives responsible for shipping secure code.
352 pages, Paperback
Published January 25, 2023
47 people are currently reading
120 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 7 of 7 reviews
May 4, 2023
An engaging read on cybersecurity threats and how to counter the attack patterns in designing software systems. Shostack covers most of the threats within the STRIDE model and then gets into attack trees and kill chains all along with analogies from Star Wars. As a longtime fan, I enjoyed the Jedi touch, but if you’re a Star Trekker or not into any of the either series, this may not help you sense the disturbance in your code. Then you’ll probably need to take on a longer training of Shostack’s earlier brick book, Threat Modeling: Designing for Security. Either way Padawan, on this fourth of May, may the force be with you :)
April 5, 2023
Many information security concepts are quite unintuitive to the general public. From ideas such as public-key cryptography to firewalls and more. That is why The Analogies Project was created.
The aim of the Analogies Project is to help spread the message of information security and its importance in the modern world. By drawing parallels between what people already know or find interesting (such as politics, art, history, theatre, sport, science, music, and everyday life experiences) and how these relate to information security, we can increase understanding and support across the whole of society.
As to why use analogies? Because many aspects of information security are highly technical and require a deep specialist knowledge. However, security ultimately depends on the awareness and preparedness of non-specialists.
In Threats: What Every Engineer Should Learn From Star Wars (Wiley Publishing), author Adam Shostack uses Star Wars as his north star analogy. This is Shostack's third book after The New School of Information Security and the groundbreaking Threat Modeling: Designing for Security.
In the introduction to Threat Modeling: Designing for Security, Shostack sums up his approach in four questions:
1. What are you building?
2. What can go wrong with it once it's built?
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?
The remaining 600 densely packed pages of Threat Modeling provide the formal framework needed to get meaningful answers to those questions. The book sets a structure in which to model threats, be it in software, applications, systems, software, or services, such as cloud computing.
Here in Star Wars, a book about application security, Shostack uses Star Wars and its characters as a foil to develop ideas around designing secure systems. Part of designing secure systems is ensuring the code is not buggy and works as designed. Another significant part of that is dealing with the threats against the systems.
It's not just that threat modeling is a good security practice. The last few years have seen contractual and regulatory requirements mandating threat modeling. Even the FDA is getting into the area and (finally) requiring medical device makers to perform threat modeling for their products.
Threat modeling is more than just running some tools. Firms need to have formal plans and processes for that. And the book does a good job of showing the reader how they can do that. Designers like to think about how a product will work as designed. But threat modeling requires designers to think about what will go wrong. And that is something many people struggle with.
But a good security practitioner will be able to think about what can go wrong. The book details the many areas where this can occur. He includes authentication, confidentiality, access control, privilege escalation, and much more. In fact, in some scenarios, there is more that can go wrong than can go rights. And many of these are about the security Jedi trying to stop those from the dark side from taking over their systems.
The book uses STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege) extensively, which is a method developed at Microsoft in the late 1990s to identify potential vulnerabilities and threats.
The only downside to the book is that many of the analogies can fall flat if you are not a Star Wars fan or don't know the franchise's backstory.
For those serious about threat modeling and developing secure systems and looking for an engaging and valuable book on the topic, Shostack is saying: security reader, I am your Jedi author.
The aim of the Analogies Project is to help spread the message of information security and its importance in the modern world. By drawing parallels between what people already know or find interesting (such as politics, art, history, theatre, sport, science, music, and everyday life experiences) and how these relate to information security, we can increase understanding and support across the whole of society.
As to why use analogies? Because many aspects of information security are highly technical and require a deep specialist knowledge. However, security ultimately depends on the awareness and preparedness of non-specialists.
In Threats: What Every Engineer Should Learn From Star Wars (Wiley Publishing), author Adam Shostack uses Star Wars as his north star analogy. This is Shostack's third book after The New School of Information Security and the groundbreaking Threat Modeling: Designing for Security.
In the introduction to Threat Modeling: Designing for Security, Shostack sums up his approach in four questions:
1. What are you building?
2. What can go wrong with it once it's built?
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?
The remaining 600 densely packed pages of Threat Modeling provide the formal framework needed to get meaningful answers to those questions. The book sets a structure in which to model threats, be it in software, applications, systems, software, or services, such as cloud computing.
Here in Star Wars, a book about application security, Shostack uses Star Wars and its characters as a foil to develop ideas around designing secure systems. Part of designing secure systems is ensuring the code is not buggy and works as designed. Another significant part of that is dealing with the threats against the systems.
It's not just that threat modeling is a good security practice. The last few years have seen contractual and regulatory requirements mandating threat modeling. Even the FDA is getting into the area and (finally) requiring medical device makers to perform threat modeling for their products.
Threat modeling is more than just running some tools. Firms need to have formal plans and processes for that. And the book does a good job of showing the reader how they can do that. Designers like to think about how a product will work as designed. But threat modeling requires designers to think about what will go wrong. And that is something many people struggle with.
But a good security practitioner will be able to think about what can go wrong. The book details the many areas where this can occur. He includes authentication, confidentiality, access control, privilege escalation, and much more. In fact, in some scenarios, there is more that can go wrong than can go rights. And many of these are about the security Jedi trying to stop those from the dark side from taking over their systems.
The book uses STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege) extensively, which is a method developed at Microsoft in the late 1990s to identify potential vulnerabilities and threats.
The only downside to the book is that many of the analogies can fall flat if you are not a Star Wars fan or don't know the franchise's backstory.
For those serious about threat modeling and developing secure systems and looking for an engaging and valuable book on the topic, Shostack is saying: security reader, I am your Jedi author.
August 21, 2023
A reminder that I use the tooltips on GR and 3 stars is "I liked it"
This book doesn't have nearly as much Star Wars as I was hoping for, but the Star Wars aspect still helps a lot. Let me illustrate what I was expecting and what I got. What I was expecting is for a book that would follow one or more Star Wars movies and discuss the security issues in each scene (if the scene had any); basically like the Star Wars and Philosophy books that the author mentions in the acknowledgments section. What Shostack does instead is use specific moments in Star Wars to illustrate concepts in a a book that reads like a more entertaining version of the CISSP certification study book. That is to say, it's not dry, but it's also WAY more technical than you might expect from the title itself. (Or the trailer for the book)
Now, I've worked in the computer security field for my entire career, so the technical nature didn't bother me, but I was looking for something a little lighter. That said, despite my career Shostack was still able to get me to see things in a different light thanks to his examples. I learned a lot - and I think that's one of the better praises an author can get.
If you're in the INFOSEC field and are a Star Wars fan, I strongly recommend. If you're just a Star Wars fan, I think you'll *probably* find most of it boring.
This book doesn't have nearly as much Star Wars as I was hoping for, but the Star Wars aspect still helps a lot. Let me illustrate what I was expecting and what I got. What I was expecting is for a book that would follow one or more Star Wars movies and discuss the security issues in each scene (if the scene had any); basically like the Star Wars and Philosophy books that the author mentions in the acknowledgments section. What Shostack does instead is use specific moments in Star Wars to illustrate concepts in a a book that reads like a more entertaining version of the CISSP certification study book. That is to say, it's not dry, but it's also WAY more technical than you might expect from the title itself. (Or the trailer for the book)
Now, I've worked in the computer security field for my entire career, so the technical nature didn't bother me, but I was looking for something a little lighter. That said, despite my career Shostack was still able to get me to see things in a different light thanks to his examples. I learned a lot - and I think that's one of the better praises an author can get.
If you're in the INFOSEC field and are a Star Wars fan, I strongly recommend. If you're just a Star Wars fan, I think you'll *probably* find most of it boring.
August 2, 2024
Should have been a series of Youtube videos. Written as if it expects all readers to have watched and remembered every scene of the Star Wars movies released about 50 years ago. More boring than my CISSP textbook and not even as comprehensive.
Manager bought the entire infosec team these books, and won't even read or discuss it himself. Probably only bought because he knows the author from somewhere. Should have spent the budget on something more worthwhile.
Manager bought the entire infosec team these books, and won't even read or discuss it himself. Probably only bought because he knows the author from somewhere. Should have spent the budget on something more worthwhile.
dnf
January 25, 2025This book, as someone else said, should have been a series of YouTube tutorials. It was incredibly dry and difficult to get through. I ended up giving up about halfway through. The author’s video content is much better. Unfortunately, this book gets lost in tons of technical jargon and was a slog to read . I gained some insights but I could not bring myself to finish it. And I’m honestly not sure how much I will retain. I recommend his video content to actually learn something applicable.
February 16, 2023
Love all the pop culture references. The author's clear and concise writing style make the concepts easy to understand even for people without a technical background.
March 17, 2025
Not a great audiobook, but I finished it and plan to buy the print book.
Displaying 1 - 7 of 7 reviews