DevSecOps: Lessons from the ST:TNG Crew
On First Contact Day, we dive into the lessons that security engineers can learn from the crew.
Shostack + Friends Blog
Recent Blog Posts
DevSecOps: What Every Security Engineer Should Learn from Star Trek
Security engineers in a DevSecOps world can learn a few things from Star Trek.
Sunshine and Security – Kymberlee’s week at BSides SF and RSAC 2026
Some of the best parts of BSidesSF and RSAC 2026 don't make it into session recordings...
Wasting Failures at RSAC™ 2026 Conference
Cybersecurity should learn lessons from industries that are transparent about failure.
Threat Modeling AI Systems: Finding the Line Between Application Security and AI Security
Announcing a new course from the Shostack + Associates team.
Blackhat and Human Factors
BlackHat invites human factors work
Appsec roundup - Feb 2026
This month's roundup starts with losing oneself, continues with cool new threat modeling tools and applications, and continues into appsec, AI and regulation.
Layered Defenses at BSides Seattle
How do we use models to help us answer what are we going to do?
Welcoming Kymberlee Price to Shostack + Associates
We’re pleased to share that Kymberlee Price has joined Shostack + Associates as our Chief Operating Officer.
Vulnerability Finding: An Inflection Point
LLM-driven vuln finding has reached an inflection
The DEF CON 33 Hackers Almanack
The 2026 Hackers Almanack is out!
Adam Featured on the AppSec Weekly Podcast
Learn more about threat modeling and the Four Question Framework
Secure By Design roundup - Dec/Jan 2026
The normalization of deviance, exciting threat modeling news, and a question of do regulatory threats change ‘the threat model’ as much as GPS attacks? Not yet.