Comprehensive Review of 'Threat Modeling Gameplay with EoP' by Michael Bernhardt

We are pleased to share a comprehensive review of "Threat Modeling Gameplay with EoP", published by Packt, and written by the reviewer Michael Bernhardt. This review offers an in-depth exploration of the book's key themes and insights, providing readers with a thorough understanding of its value. This book helps you to explore software security through gamified threat modeling, uncovering risks while making it enjoyable. You’ll learn to identify, mitigate, and defend against threats, enhancing your system's security.

Please find the review below:

You won't forget the first Threat Model workshop that you conducted. Whether it is the excitement in preparation of the workshop or the attempt to find the right attack vectors during the workshop. Remembering my first workshops more than 15 years ago, I was glad to work together with a group of technical-savvy and security-interested people. Over the years, I met diverse groups that helped me to constantly complement my skills and perspectives on the matter. 

What do you do when nowadays you want to prepare yourself best for the first time you are conducting a Threat Modeling with a team? Numerous books have meanwhile been released that talk about the process and the concepts. While this is for sure a helpful input to have a template for Threat Modeling, it does not guide you in the discussion with the teams on the particular threats in the application and the respective resolutions. There, Brett's Threat Modeling Gameplay with EoP comes as a helpful guide, giving you the right examples and proposals at hand for anyone starting into the domain. It leverages STRIDE as the most used framework for the security assessment and TRIM for privacy alike. 

So, how does it look like? Do you know what is behind the term Repudiation, can you correlate the term Inference to an example? Considering that you know Repudiation, did you consider assuring the secure time synchronization across the application systems and for the logging service? As a provider of a large language model, did you consider that the model may pose a sensitive information disclosure risk by insufficient training data evaluation and thereby contradict common AI regulations? The book brings you more than 200 examples, outlining on the threat itself, providing its attack pattern and weakness classification, and provides you the security controls and guidance for preventing it. 

And, if you find together with a bunch of security folks interested to complement their skills over a deck of card, the book gives you a strategic advantage playing Adam Shoestack’s Elevation of Privilege – but sshhhh, don’t tell the others… 

Best of luck for your endeavor into the world of Threat Modeling and enjoy the journey! 

Reviewer Bio

Michael Bernhardt is a seasoned security strategist and believes that a solid security culture is the essential glue for technological innovation and strong security. Throughout his more than 15 years in the profession, he has advised dozens of Fortune-500 SAP ERP customers and is currently helping Germany’s second-largest telecommunication provider in their secure cloud transformation as head of product security. He is leading the Corporate Security Program Evolution Model (CSPEM) initiative, which brings along tools and concepts for the organizational transformation of security programs. Additionally, he is a founder of the OWASP Security Champions Manifesto and Threat Modeling Connect, and regularly shares his perspective at conferences and on blogs.