Securing Systems, The Book

Securing Systems: Applied security architecture and threat modeling

“This is a book about security architecture. The focus of the book is upon how security architecture methods and mindset form a frame for evaluating the security of digital systems in order to prescribe security treatments for those systems. The treatments are meant to bring the system to a particular and verifiable risk posture.”

“This book replies to a question that I once posed to myself. I know from my conversations with many of my brother and sister practitioners that, early in your security careers, you have also posed that very same question. When handed a diagram containing three rectangles and two double-headed arrows connecting each box to one of the others, each of us has wondered, “How do I respond to this?””

Unfathomable arch

An architecture without sufficient information to perform analysis

From the publisher:

Securing Systems: Applied Security Architecture and Threat Models covers all types of systems, from the simplest applications to complex, enterprise-grade, hybrid cloud architectures. It describes the many factors and prerequisite information that can influence an assessment. The book covers the following key aspects of security analysis:

  • When should the security architect begin the analysis?
  • At what points can a security architect add the most value?
  • What are the activities the architect must execute?
  • How are these activities delivered?
  • What is the set of knowledge domains applied to the analysis?
  • What are the outputs?
  • What are the tips and tricks that make security architecture risk assessment easier?

To help you build skill in assessing architectures for security, the book presents six sample assessments. Each assessment examines a different type of system architecture and introduces at least one new pattern for security analysis. The goal is that after you’ve seen a sufficient diversity of architectures, you’ll be able to understand varied architectures and can better see the attack surfaces and prescribe security solutions.”

Quotes from the book:

“Any organization that places into service computer systems that have some chance of being exposed to digital attack will encounter at least some of the problems addressed within Securing Systems. Digital systems can be quite complex, involving various and sometimes divergent stakeholders, and they are delivered through the collaboration of multidisciplinary teams. The range of roles performed by those individuals who will benefit from familiarity with applied security architecture, therefore, turns out to be quite broad. The following list comprises nearly everyone who is involved in the specification, implementation, delivery, and decision making for and about computer systems.

  • Security architects, assessors, analysts, and engineers
  • System, solution, infrastructure, and enterprise architects
  • Developers, infrastructure engineers, system integrators, and implementation teams
  • Managers,technical leaders,program and project managers,middle management, and executives”

“Often when the author is speaking at conferences about the practice of security archi- tecture, participants repeatedly ask, “How do I get started?” At the present time, there are few holistic works devoted to the art and the practice of system security assessment.*

Yet despite the paucity of materials, the practice of security assessment is growing rapidly. The information security industry has gone through a transformation from reactive approaches such as Intrusion Detection to proactive practices that are embed- ded into the Secure Development Lifecycle (SDL). Among the practices that are typi- cally required is a security architecture assessment. Most Fortune 500 companies are performing some sort of an assessment, at least on critical and major systems.

Explaining security architecture assessment has been the province of a few mentors who are scattered across the security landscape, including the author. Now, therefore, seems a like a good time to offer a book describing, in detail, how to actually perform a security assessment, from strategy to threat model, and on through producing security requirements that can and will get implemented.”

Praise for Securing Systems:

“Easily the Best Security Architecture Book in Print – IMHOP the Seminal Tutorial and HandBook.

The SABSA book has been the de facto Security Architecture handbook book for most security professionals and for I myself as a Security Architect. …This, Mr. Schonfield’s [sic] book is not nearly as methodical or comprehensive but in my view it is definitely a much better book and more suited to contemporary Security Architecture forces and practice. It is quite concise, immensely readable, up-to-date, pragmatic and accurately reflects how expert Information Security Architects go about their job and what they do or how they should be doing it. It also discusses issues such as effective stakeholder liaison and several other practical considerations in Security Architecture formulation and review. It is also admirable how the author makes it all readable, pragmatic, yet quite concise and quite comprehensive.”

— Mr. Bookish, Mild and Meek, London UK

Editorial Reviews

“Brook Schoenfield has distilled a tremendous amount of practical experience and critical thinking about security architecture into a resource that should be extremely helpful to practitioners.”
? Jack Jones, Originator of The Open Group Standard, Factor Analysis for Information Risk (FAIR)

“Five stars for Brook Schoenfield who has created a one-stop resource for both the security strategist/technologist and the executive suite, sounding the ‘proactive’ klaxon. The reader is given substantive exemplars on the practicality of architecting security solutions into the mix from the get-go, and obviating the tendency to ‘bolt on’ security at a later date. Securing Systems should be on every CSO’s and CISO’s desk, and referenced often as teams are built and security solutions architected.”
? Christopher Burgess, CEO, Prevendra Inc, Author of Secrets Stolen, Fortunes Lost and Protecting Intellectual Property

“Brook Schoenfield’s approach to securing systems addresses the entire enterprise, not only its digital systems, as well as the processes and people who will interact, design, and build the systems. This book fills a significant gap in the literature and is appropriate for use as a resource for both aspiring and seasoned security architects alike.”
? Dr. James F. Ransome, CISSP, CISM, Senior Director of Product Security at Intel Security Group and Co-Author of Core Software Security

“It is not good enough just to build something and try and secure it, it must be architected from the bottom up with security in it, by professionally trained and skilled security architects, checked and validated by regular assessments for weakness, and through a learning system that learns from today to inform tomorrow. We must succeed.”
? John N. Stewart, SVP & Chief Security Officer, Cisco Security and Trust Organization and Winner of the CSO 40 Silver Award for the 2014 Chief Security Officer of the Year

“This book describes well why some companies are successful and some are not in the area of software security. Brook writes this book out of his own experiences from many years in the trade. I doubt that you can find many who have more years of great achievements in his field. By reading this book, you will get a fast track to build competence in a very advanced area. The possibilities to take the wrong route are much wider than you can imagine. Please do like me? read it and think how I can improve my daily business from what I have learned.”
? Per-Olof Persson, Head of Software Security, Sony Mobile

Brook S.E. Schoenfield’s Amazon author page

Securing Systems on Facebook


Leave a Reply