Papers and Talks by Adam Shostack



How to Stand Up a Major Cyber Incident Investigations Board
As we wrote the report on Adapting Aviation Safety Models, we also worked on a how-to guide. We realized that many of the lessons and tradeoffs that we learned about or crystalized as we worked on that were worth capturing because listing and explaining them helps people who want to stand up an investigations process move faster and more predictably. The report, How to Stand Up a Major Cyber Incident Investigations Board. We took the name from Steve Bellovin's work to avoid confusion with the newly created CSRB. Suggested citation: Ontiveros, Victoria, Tarah Wheeler and Adam Shostack. “How to Stand Up a Major Cyber Incident Investigations Board.” Paper, June 2022.
The Buffet Overflow Café
The Buffet Overflow Café is a restaurant for dining cryptographers and cybersecurity professionals. A bit of humor and puns to help present important concepts. Cite: The Buffet Overflow Café, T. Kohno, C. Cobb, A. Lerner, M. Lin, A. Shostack, IEEE Security & Privacy July-Aug. 2022, pp. 4-7, vol. 20 DOI Bookmark: 10.1109/MSEC.2022.3173122
25 Years in Application Security: Looking Back, Looking Forward
The author looks at 25 years of industrial application security through a lens of a code review document released in 1996, examines the progress that’s been made and what those trends imply for the future. A. Shostack, "25 Years in Application Security: Looking Back, Looking Forward," in IEEE Security & Privacy, vol. 20, no. 1, pp. 109-112, Jan.-Feb. 2022, doi: 10.1109/MSEC.2021.3127961. (Author copy.)


Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity
Over four months in the spring of 2021, over 70 experts participated in a (virtual) workshop on the concept of creating a “Cyber NTSB”. The workshop was funded by the National Science Foundation with additional support from the Hewlett Foundation, and organized by Harvard’s Belfer Center with support from Northeastern University’s Global Resilience Institute. With Rob Knake and Tarah Wheeler. The report, learning from cyber incidents project at the Harvard Kennedy School's Belfer Center.
The urgent need to stand up a cybersecurity review board
The urgent need to stand up a cybersecurity review board with Tarah Wheeler and Victoria Ontiveros. Brookings.
Fast, Cheap + Good: An Unusual Tradeoff Available in Threat Modeling
Fast, Cheap + Good: An Unusual Tradeoff Available in Threat Modeling, Shostack + Associates whitepaper #2
Ransomware is not the problem
Ransomware is not the problem. Dark Reading.
Finally! A Cybersecurity Safety Review Board
Finally! A Cybersecurity Safety Review Board with Steve Bellovin, Lawfare.
Threat modeling + compliance
I gave a few related talks, including Reverse Engineering Compliance (Blackhat Asia 2021) and Using Threat Modeling to Improve Compliance (RSA 2021). Both are about how threat modeling can help compliance efforts ‘start with the why.’
Don't B-MAD
B-MAD is a way of describing how people will feel if you say "Bring Me A Diagram." Don't B-MAD: Making Threat Modeling Less Painful explains the concept and the value of collaboration.


We Need a Discipline of Cyber Public Health
Distinguished Lecture at the CASA Cluster of Excellence for Cyber Security, Ruhr University, Bochum Germany. Official page, video, and the references.
Threat Modeling Manifesto
15 or so experts in the field released a manifesto for threat modeling I'm pleased with how it came out.
Contextualisation of Data Flow Diagrams for Security Analysis
A short paper at GraMSec2020, with Shamal Faily, Riccardo Scandariato, Adam Shostack, Laurens Sion, and Duncan Ki-Aries. Paper.
The Jenga View of Threat Modeling
The first corporate whitepaper from Shostack + Associates breaks down threat modeling work in a new way, helping you see the technical skills, soft skills and organizational disciplines that matter as you develop organizational capacity to threat model.
EFF Amicus Brief on Van Buren
The EFF filed an amicus brief in the Van Buren case, and I was honored to be a signatory.
Secure Development Tools and Techniques Need More Research That Will Increase Their Impact and Effectiveness in Practice
With Mary Ellen Zurko, an article for Communications of the ACM (May, 2020). The title lays out the argument of the paper.


The Economic Value of DNS Security
We measured the economic value of DNS security measures, and found that DNS security could impact one breach in three. The full report is free from the Gloabl Cyber Alliance. Co-authored with the Cyentia Institute.
Empirical Evaluation of Secure Development Processes
An academic workshop, held at Schloss Dagstuhl, to study how to evaluate secure development processes. A report is at Empirical Evaluation of Secure Development Processes, and the public information on the workshop is on the Dagstuhl website.
Linkedin Learning Video Courses
I'm pleased to be working with Linkedin to make threat modeling instruction widely available. Five courses are available, including Learning Threat Modeling (for security professionals) and as well as courses on spoofing, tampering, repudiation, information disclosure and a combined class on denial of service and elevation of privilege.


Measuring the Impact of DMARC's Part in Preventing Business Email Compromise
This paper (done in partnership with Jay Jacobs and Wade Baker) Since 2016, the Global Cyber Alliance (GCA) has been working to accelerate adoption of DMARC, an email security standard, by providing tools and resources to aid implementation. This paper measures the economic benefit from that activity. In less than two years, GCA’s DMARC initiative has resulted in more than 5,700 organizations across more than 180 countries adopting DMARC. This has lead to significant financial benefits across a diverse array of industries and governments. The full report is at the GCA website.
Threat Modeling in 2018: Attacks, Impacts and Other Updates
My Blackhat 2018 talk is about how attacks always get better, and that means your threat modeling needs to evolve. This talk looks at what's new and important in threat modeling, organizes it into a simple conceptual framework, and makes it actionable. This includes new properties of systems being attacked, new attack techniques (like biometrics confused by LEDs) and a growing importance of threats to and/or through social media platforms and features. Take home ways to ensure your security engineering and threat modeling practices are up-to-date. (The slides are available as a PDF or online viewer.)
That Was Close! Reward Reporting of Cybersecurity 'Near Misses'
From the abstract: "While information regarding the causes of major breaches may become public after the fact, what is lacking is an aggregated data set, which could be analyzed for research purposes. This research could then provide clues as to trends in both attacks and avoidable mistakes made on the part of operators, among other valuable data... An alternative is a voluntary reporting scheme, modeled on the Aviation Safety Reporting System housed within NASA, and possibly combined with an incentive scheme. Under it, organizations that were the victims of hacks or “near misses” would report the incident, providing important details, to some neutral party. This database could then be used both by researchers and by industry as a whole. People could learn what does work, what does not work, and where the weak spots are.
Cite: Bair, Jonathan and Bellovin, Steven M. and Manley, Andrew and Reid, Blake E. and Shostack, Adam, "That Was Close! Reward Reporting of Cybersecurity 'Near Misses'" Feb 22, 2018). In Colorado Technology Law Journal 16.2.
Available at Colorado Tech Law Journal (see full issue)
Privacy Threat Model for Seattlites
Threat modeling approaches are often centered on the engineering of producing and delivering products or services. The Seattle Privacy Coalition has an ongoing project to create threat models centered on the citizens and residents of Seattle.
At the Seattle Privacy Coalition blog, Threat Modeling the Privacy of Seattle Residents [link to no longer works], there are slides, a whitepaper and other resources.


Amicus brief in Carpenter
The Knight First Ammendment Institute at Columbia University filed an amicus brief in the Carpenter case, and I was honored to be able to participate.
Cyber Portfolio Management
A new way to drive results within and across organizations, Cyber Portfolio Management was introduced in my RSA 2017 talk. RSA has posted Security Leadership Lessons From the Dark Side.


The Breach Response Market Is Broken
Adam Shostack, The Breach Response Market Is Broken (and what could be done) [link to no longer works] was submitted to the FTC for their privacy conference in September 2016. It puts forward the idea that giving consumer vouchers after a breach would enhance the market's ability to innovate.
Input to the Commission on Enhancing National Cybersecurity
Steven M. Bellovin, Adam Shostack, Input to the Commission on Enhancing National Cybersecurity. September 2016.


Threat Modeling Lessons From Star Wars (and elsewhere)
Threat modeling can be scary, and so this talk uses Star Wars to make the content more accessible. The version delivered at BruCon came together particularly well.
3GSE: Usenix workshop on Games, Gaming and Gamification in Security Education
At 3GSE, I presented on both Elevation of Privilege (the paper is the final version of Drawing Developers In) and Control-Alt-Hack (the paper is an exposition of what we did to create the game.)
BSides Las Vegas 2014 Keynote: Beyond Good and Evil
My keynote slides are available at Beyond Good and Evil, and there's also a video.
FUD: A Plea for Intolerance
A column in Communications of the ACM, with Dinei Florêncio and Cormac Herley. The official version is behind a paywall, and there is a draft at Microsoft Research.


Submission to Royal Society
The Royal Society is engaged in a project, Cybersecurity research: a vision for the UK. I submitted a short note suggesting a line of research.
Control-Alt-Hack: The Design and Evaluation of a Card Game for Computer Security Awareness and Education
Tamara Denning, Adam Lerner, Adam Shostack, and Tadayoshi Kohno, Control-Alt-Hack: The Design and Evaluation of a Card Game for Computer Security Awareness and Education.. In Proceedings of ACM Conference on Computer and Communications Security (CCS '13), 2013.
Building a Science of Security
My SIRACon 2013 talk is titled Building a Science of Security. It's part of an ongoing exploration of some of the ideas that Andrew Stewart and I explored in The New School of Information Security.


Elevation of Privilege: Drawing Developers into Threat Modeling
This paper describes my experiences creating the Elevation of Privilege Threat Modeling game. The final paper is at Elevation of Privilege: Drawing Developers into Threat Modeling (PDF).
The Evolution of Information Security
The NSA had a special issue of their journal, "The Next Wave" focused on the science of security. You can get the entire journal at Next Wave, Vol 19 #2 [link to no longer works] or my article as an extract, The Evolution of Information Security (PDF).


Zeroing in on Malware Propagation Methods
Volume 11 of the Microsoft Security Intelligence report opened with a featured article on how malware propagates. Much of the key data in that is my work, and I was one of the authors of the featured article. You can download the featured article here.
Engineers are People Too
Keynote at I3P SAUSAGE workshop ("Software And Usable Security Aligned for Good Engineering"). Similar to my SOUPS keynote, this fully dislosed the NEAT approach to usable warnings, and included thoughts on how to create a learning environment. Slides for Engineers are People Too v 1.1
Helping Engineers Design NEAT Security Warnings
Rob Reeder with myself and Ellen Cram Kowalczyk. We present our wallet card distillation of how to design security warnings in this short paper. Some additional context is in the blog post, Adding Usable Security to the SDL. The paper can be downloaded here.
Risk Hose Podcast: Feedback Loops
I joined Chris Hayes, Alex Hutton and Jay Jacobs, and thought the discussion was particularly good. You can listen or download at "Risk Hose Episode 14 "


Engineers are People Too
Keynote at SOUPS 2010 . In Engineers Are People Too Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the engineer. All too often, engineers are assumed to have infinite time and skills for usability testing and iteration. They have time to read papers, adapt research ideas to the specifics of their product, and still ship cool new features. This talk will bring together lessons from enabling Microsoft's thousands of engineers to threat modeling effectively, share some new approaches to engineering security usability, and propose new directions for research.
The Crisis In Information Security
This is a high level and very well reviewed talk that I'm giving discussing some of the lessons from the New School. I've also been speaking on threat modeling. The slides are designed to support the talk, rather than stand on their own.


The New School of Information Security (book)
Adam Shostack and Andrew Stewart. We examine some of the ongoing shortcomings of the information security profession, and propose some very practical steps that any individual or organization can take to improve things. Available from fine booksellers now.
Older writing on Threat Modeling

At a Security Modeling workshop [link to no longer works], I presented Experiences Threat Modeling at Microsoft, a title which is pretty self explanatory. (Slightly updated from the workshop version.)

In MSDN magazine, Uncover Security Design Flaws Using The STRIDE Approach and Reinvigorate your Threat Modeling Process are about how I'm thinking about threat modeling and some lessons learned. MSDN also published Getting Started With The SDL Threat Modeling Tool.

A series of blog posts on lessons learned threat modeling at Microsoft. The series can be downloaded as a Word doc, The Trouble with Threat Modeling.

As mentioned above, Elevation of Privilege: the Threat Modeling Game is the easy way to get started threat modeling. You can download a copy from Github, and there's a blog post with the announcement. My Black Hat 2010 talk The easy way to get started threat modeling covers some of why the game works, as does a longer paper, Elevation of Privilege: Drawing Developers into Threat Modeling (PDF).

Silver Bullet Podcast #26
After the launch of the New School, Gary McGraw interviewed me for his Silver Bullet Security podcast. Episode 26 has links to listen or download, and Gary edited it into an article.


Privacy Summer Symposium
At the Privacy Summer Symposium organized by Harvard Law School, I gave a short talk on Microsoft's SDL and how it impacted privacy. (With Sue Glueck.)
Security Breaches are good for you (conference presentation, ShmooCon)
At Shmoocon 2007, I gave a short talk entitled Security Breaches Are Good for you.


Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach
In MSDN magazine (November, 2006), with Shawn Hernan, Scott Lambert and Tomasz Ostwald. Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach.
Balancing Information Sharing and Privacy, (Panel presentation, National Conference on Science, Technology, and the Law)
At the National Institute of Justice's National Conference on Science, Technology, and the Law, I participated in a panel on "Balancing Information Sharing and Privacy," and presented Protecting Society By Protecting Information: Reducing Crime by Better Information Sharing (ppt.


The Security Principles of Saltzer and Schroeder
Saltzer and Schroeder's classic principles of information security, illustrated with scenes from Star Wars.
Preserving the Internet Channel Against Phishers (essay)
A short essay, derived from some blog posts about phishing. Preserving the Internet Channel Against Phishers
Security Rituals Enabling the Pair-wise Union of Two Unbound Variables (Crypto 2005 rump presentation)
M. Briceno, J. Callas, T. Cannoy, J. Merchant, A. Shostack, N. van Someren, and R. Wagner. Slides are not being shared
Anonymous blogging project overview (Conference talk, RECon)
Slides from my anonymous blogging talk at the inaugural RECon are available as Powerpoint.
Effective Patch Management: How to make the pain go away (Security Leadership talk)
Slides from my Security Leadership Series talk are online (PDF)
Avoiding Liability: An Alternative Route to More Secure Products (Conference Rump talk, WEIS05)
I've been thinking about liability in information security lately, and have a short draft essay at Avoiding Liability: An Alternative Route to More Secure Product (also available in PDF )
Evidence-based Security Assessment (Panel, ShmooCon)
At Shmoocon, 2005, Crispin Cowan, Ed Reed, Al Potter and I ran a BOF entitled "Evidence Based Security." Our slides are all here: Crispin Cowan (Powerpoint or PDF),Ed Reed (Powerpoint or PDF), Al Potter (Powerpoint or PDF) and mine (PDF only)


What Price Privacy?
Paul Syverson and I contributed a chapter, What Price Privacy? to Economics of Information Security, an edited volume from Springer (Camp, Lewis, editors).
Beyond Patch and Pray: Security By Design (Security Leadership talk)
My presentation at The Security Leadership Conference was on using tools to improve the quality of software and operations. You can see the Powerpoint or pdf. This was where I first publicly commented that "security people are from Mars, business people are from Wharton"
Evite, a rant
A few words about evite, and why I'm silently ignoring your lovely invitation.


Quantifying Patch Management (Secure Business Quarterly)
Quantifying Patch Management was written for @Stake's Secure Business Quarterly Q2 2003 special issue on patch management. Managing the flood of patches out there requires more than brute force.
Identity and Economics: Terrorism and Privacy (BlackHat Briefings USA)
Identity and Economics: Terrorism and Privacy The talk focuses on the limits to the security that multi-purpose ID cards can offer, and suggests that we should spend our money in more useful places. (pdf or Powerpoint.)
Paying for Privacy: Consumers and Infrastructures (Referereed paper, 2nd Workshop on Economics and Information Security)
Paying for Privacy: Consumers and Infrastructures (PDF or Powerpoint ) in which I look at consumer's willingness to pay for privacy, and the subsidy given to privacy invasion by government ID cards.
Will People Ever Pay For Privacy? (Blackhat Briefings, Amsterdam)
After Zero-Knowledge's failure to sell gazillions of subscriptions to our very cool Freedom software, I'm often asked, Will People Ever Pay For Privacy? (PDF or Powerpoint ) My answer is yes, they have, do, and will continue to. Blackhat Briefings in Amsterdam.


Timing the Application of Security Patches for Optimal Uptime
Timing the Application of Security Patches for Optimal Uptime Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack.  Presented at the USENIX 16th Systems Administration Conference (LISA 2002), Philadelphia, PA, December 2002
Economic Barriers to the Deployment of Existing Privacy Technologies (Position paper, First WEIS)
Economic Barriers to the Deployment of Existing Privacy Technologies (Position Paper). Joan Feigenbaum, Michael J. Freedman, Tomas Sander, and Adam Shostack. Proceedings of the Workshop on Economics and Information Security. Berkeley, CA.
Towards Technology for Data Protection (Cutter IT Journal)
Towards Technology for Data Protection May 2002, Cutter IT Journal. (Not Online).
Results, Not Resolutions (essay)
Results, Not Resolutions with Bruce Schneier. Originally appeared in Security Focus, but the version here has several corrections.

Microsoft hired me anyway.

A philosophical digression on the relationship of liberty and security

"The freedom which we enjoy in our democratic government extends also to our ordinary life. We throw open our city to the world, and never by alien acts exclude foreigners from any opportunity of learning or observing although the eyes of an enemy may occasionally profit by our liberality. We live exactly as we please and yet are just as ready to encounter every legitimate danger. If with habits not of labor but of ease, and courage not of art but of nature, we are still willing to encounter anger, we have the double advantage of not suffering hardships before we need to, and of facing them in the hour of need as fearlessly as those who are never free from them. The price of courage will surely be awarded most justly to those who best know the difference between hardship and pleasure and yet are never tempted to shrink from danger. And it is only democratic people who, fearless of consequences, confer their benefits not from calculations of expediency but in the confidence of liberality.

From The Funeral Oration by Pericles of Athens, 431 B.C.
Added September 18th, 2001.


Privacy Engineering for Digital Rights Management Systems (ACM Workshop on Security and Privacy in DRM)
Privacy Engineering for Digital Rights Management Systems, Michael J. Freedman, Joan Feigenbaum, Tomas Sander, Adam Shostack, ACM Workshop on Security and Privacy in Digital Rights Management 2001, LNCS 2320.
Trust, Ethics and Privacy (Boston University Law Review)
Trust, Ethics and Privacy with Ian Goldberg, Austin Hill, Adam Shostack, Boston University Law Review, Volume 81, number 2, April, 2001. (Not online)


Zero-Knowledge Systems whitepapers
Freedom is the most secure, easiest to use privacy software ever made. I was a primary author of three original 1.0 whitepapers: an overview, a similar overview with far more details, and one on security issues. Brian Ristuccia has archived all the Freedom Whitepapers here.
Towards a Taxonomy of Network Security Assessment Techniques (Blackhat Briefings)
At the BlackHat briefings, I presented some work done with Scott Blake working Towards a Taxonomy of Network Security Assessment Techniques. This work came out of the work that we did, together with the outstanding team of people at Netect (now part of Bindview Development) in creating the HackerShield vulnerability scanner. This paper is an attempt to share some of the things we learned in building it.
Breaking Up Is Hard to Do (Best paper, First Usenix Workshop on Smartcards)
My paper with Bruce Schneier, Breaking Up Is Hard To Do: Modeling Security Threats for Smartcards won Best of Show at the First Usenix workshop on Smartcard Technology.


Perspectives on Obscurity (Financial Cryptography, rump talk)
At the conference, I gave two rump session talks, one of which, Perspectives On Obscurity, is available as an outline. (I think this has stood up pretty well.)
Apparent Weaknesses in the Security Dynamics Client Server Protocol (DIMACS Workshop on network threats)
Apparent Weaknesses in the Security Dynamics Client Server Protocol. This paper was presented at the DIMACS workshop on Network Threats, and describes a substantial weakness in the Security Dynamics client server model, which was apparently fixed in versions of the software later than the ones I was working with. Security Dynamics responded to my work before publication. I'm very pleased that they will be publishing their protocols in the future. The final paper DIMACS is available, as is an html version, but the html version is missing two diagrams.
Source Code Review Guidelines
Source code reviews are an important part of writing secure code. I've written some guidelines on how to conduct a review and what to look for.