Shostack + Friends Blog

Recent Blog Posts

Appsec roundup - Feb 2026

This month's roundup starts with losing oneself, continues with cool new threat modeling tools and applications, and continues into appsec, AI and regulation. (03 Mar 2026)

 

Layered Defenses at BSides Seattle

How do we use models to help us answer what are we going to do? (02 Mar 2026)

 

Welcoming Kymberlee Price to Shostack + Associates

We’re pleased to share that Kymberlee Price has joined Shostack + Associates as our Chief Operating Officer. (26 Feb 2026)

 

Vulnerability Finding: An Inflection Point

LLM-driven vuln finding has reached an inflection (18 Feb 2026)

 

The DEF CON 33 Hackers Almanack

The 2026 Hackers Almanack is out! (16 Feb 2026)

 

Adam Featured on the AppSec Weekly Podcast

Learn more about threat modeling and the Four Question Framework (04 Feb 2026)

 

Secure By Design roundup - Dec/Jan 2026

The normalization of deviance, exciting threat modeling news, and a question of do regulatory threats change ‘the threat model’ as much as GPS attacks? Not yet. (30 Jan 2026)

 

Threat Modeling in the Age of AI

Adam will be the featured speaker at the ISC2 Seattle Chapter meeting in February. (29 Jan 2026)

 

NIST 800-218 revision

NIST 800-218 wants you! (27 Jan 2026)

 

Bitlocker, the FBI, and Risk

What can the Bitlocker story tell us about risk? (23 Jan 2026)

 

Security Advisory SA-26-01 GPS Attacks

GPS attacks trigger revisiting threat models (22 Jan 2026)

 

Take Control of What you Read, Redux

In 2026, it’s more important than ever to take control of what you read (11 Jan 2026)

 

Congratulations to ThreatModeler and IriusRisk!

Congratulations to all involved! (07 Jan 2026)

 

A few thoughts closing out 2025

Prompted by participants, a few closing thoughts for 2025 (31 Dec 2025)

 

Gavle Goat Survived 2025 - or did it?

Important news about current events (26 Dec 2025)