“This book is about security architecture. My goal is to refrain from theory and focus instead on practice. You will not find much theory in this book. I hope that I have provided just enough theory to place the materials into sufficient context for full understanding. For a deeper explanation, I point the reader to any number of books on security architecture, including my own, Securing Systems, although that book was also intended to remain grounded in the practical and proven rather than being overly theoretical.

Good security architects have dozens of tricks of their trade in their kips. Herein, you will find my tips and tricks, as well as myriad tried and true bits of wisdom that my colleagues have been gracious enough to share with me.

I want to give these to you, the practitioner, to ease your way. This work can be hard, complex, certainly frustrating. Seasoned architects know how to surmount individual, team, and organizational resistance. They know how to express security requirements in ways that will make the requirements more palatable and, thus, get them accomplished.” – From Secrets Of A Cyber Security Architect

The Book’s contents:

The book’s forward was written by threat modelling guru and long time security architect, Adam Shostack.

Chapter 1 The Context of Security Architecture:

The first chapter of the book dives into the inherent hostility of our digital context and how a practice that tries to address digital attack and defense proactively might provide us greater digital resiliency.

Chapter 2 What Is Security Architecture, and Why Should I Care?

The second chapter sets out to define “security architecture”. Then the text attempts to provide answers to a series of questions surrounding security arcitecture. Why is security architecture relevant? What does it promise? Who practices it and what skills are required?

Chapter 3 Architecture, Attacks, and Defenses

Chapter 3 is devoted to an attack and defense analysis of the sort that security architects must often provide. The book uses the famous Heartbleed vulnerability as its subject, allowing Brook to demonstrate the sorts of analyses that have proven effective, as well as the technical depth required and the sorts of technical skills that must be brought to bear.

Chapter 4 Culture Hacking

Chapter 4 catalogs many of the sorts of organizational issues, cultural challenges that security architects, and secure design programmes must face, and those approaches that seem to move organizations towards effective secure design practices.

Chapter 5 Learning the Trade

Chapter 5 addresses those specifics that people wishing to increase their security architecture skills and knowledge will likely need to learn.

Chapter 6 Problem Areas You Will Encounter

Brook is privileged to interact with and discuss secure design, threat modelling, software security, and security architecture practice with other practitioners across a broad spectrum of organizations: commercial, governmental, non-governmental (NGO). The same challenges crop up time and again at organizations big and small, across technology stacks and cultures. Chapter 6 is a compendium of the typical problems that will be encountered and the various tricks and tips that Brook and is peers have used to meet these successfully.

The “About the Author” description from Secrets Of A Cyber Security Architect:

“Brook S. E. Schoenfield is the author of Securing Systems: Applied Security Architecture and Threat Models* and Chapter 9: Applying the SDL Framework to the Real World, in Core Software Security: Security at the Source.† He has been published by CRC Press, SANS Institute, Cisco, SAFECode, and the IEEE. Occasionally, he even posts to his security architecture blog, brookschoenfield.com.

“He is the Master Security Architect at a global cyber security consultancy, where he leads the company’s secure design services. He has held security architecture leadership positions at high-tech enterprises for nearly 20 years, at which he has trained and coached hundreds of people in their journey to becoming security architects. Several thousand people have taken his participatory threat modeling classes.

“Brook has presented and taught at conferences such as RSA, BSIMM, OWASP, and SANS What Works Summits on subjects within security architecture, including threat models, DevOps security, information security risk, and other aspects of secure design and software security.

“Brook lives in Montana’s Bitterroot Mountains. When he’s not thinking about, practicing, writing about, and speaking on secure design and software security, he can be found telemark skiing, hiking, and fly fishing in his beloved mountains, exploring new cooking techniques, or playing various genres of guitar—from jazz to percussive fingerstyle.”