Shostack + Friends Blog


Application Security Roundup - January

So many interesting articles from AI to an organizatoion of socio-technical harms, fascinating incident reports about Uber and Circle CI and some history of attack trees. A set of puzzle pieces

Let me kick off with an entertaining and thoughtful adaptation of Maslow’s Hierarchy of Needs, by Irfaan Santoe, The Hierarchy of Needs for Threat Modeling (IriusRisk blog), and I am not a supplier in whcih Thomas Depierre objects to that label and its implications.

There are several very interesting retrospectives:

From there, we come to three interesting academic articles:

Lastly, some history of attack trees. My understanding of their first formal writeup had been Ed Amoroso's 1994 book, but Alex Gantman shared a link to D. Weiss, "A System Security Engineering Process," Proceedings of the 14th National Computer Security Conference, 1991. (page 572), and Stuart Schecter pointed out that there's history back to at least 1961, and the history is in his PhD thesis (Section 2.3.1)