Possibly Noteworthy wrote:

Adam Shostack has a new book.

Decius wrote:

This is interesting but the editorial review makes a lot of bold claims without explaining how those claims are met. I eagerly await further reviews and shorter articles written by the authors to promote their book.

First, to clarify, the quoted text was the promo copy from the book jacket, not an independent editorial review.

Second, based on a prior comment, and since this book is published by Addison-Wesley, Acidus may be able to get an early review copy:

I've been exercising my new found privileges as an Addison-Wesley author (getting free books) ...

(Then again, maybe not, since it was only last November that Acidus exclaimed, "Damn you Adam Shostack!!!")

Third, the Table of Contents may shed some light on the "how" you raised above. Beyond that, you can get a limited preview at O'Reilly, but after the introduction (which is also at Amazon), you get only little snippets of each page.

One of the authors (Andrew J. Stewart) offers several technical papers at his web site; another paper is Distributed Metastasis: A Computer Network Penetration Methodology, from 1999.

Shostack recently wrote The Trouble with Threat Modeling, and at Schmoocon 2007 he gave a short talk entitled "Security Breaches Are Good for you." He gave a Blackhat presentation entitled Identity and Economics: Terrorism and Immigration.

RE: The New School of Information Security