Shostack + Friends Blog

Recent Blog Posts

The Cyber Resilience Act (CRA)!

The CRA is coming and it's going to be a dramatic change for technology producers (15 Jul 2025)

 

Threat modeling as a dial, not a switch

Thinking of threat modeling with a knob helps you get more out of it. (09 Jul 2025)

 

Voting Twice for Secession Would be More Fair

Thinking about secession and mechanisms (05 Jul 2025)

 

The Unanimous Declaration of the Thirteen United States of America

When was the last time you looked over what our country was founded upon? (04 Jul 2025)

 

Appsec Roundup - June 2025

Lots of fascinating threat model-related advances, new risk management tools, games, and more! (01 Jul 2025)

 

Google’s approach to AI Agents -- Threat Model Thursday

What can we learn from Google’s approach to AI Agent Security (27 Jun 2025)

 

Publish your threat model!

We think you should publish your threat model, and we’re publishing our arguments. (16 Jun 2025)

 

The Essence and Beauty of Threat Modeling

Automation sounds great, but what about the essence and beauty? (13 Jun 2025)

 

Appsec Roundup - May 2025

Lots of fascinating threat model-related advances, new risk management tools, games, and more! (02 Jun 2025)

 

Andor: Insider Threats

Andor teaches us about insider threats (02 Jun 2025)

 

Free Threat Modeling Training for Displaced Federal Workers

Free training for displaced government employees (20 May 2025)

 

Blackhat Earlybird Prices End Friday

(19 May 2025)

 

Cyber Hard Problems Report

The Cyber Hard Problems report is coming out (14 May 2025)

 

Andor: Think like a leader

Think like a what??! (13 May 2025)

 

Andor Threats: Information Disclosure

What Andor can teach us about Information disclosure threats (03 May 2025)