Shostack + Friends Blog

Application Security Roundup - July

Interesting appsec posts: machine learning, performance, and C4

The most interesting #appsec articles I read this month included a deep dive into attacks on machine learning, Spotify's post aboutthe C4 model, and a rant that's nominally about performance, but applies equally to security.

Practical Attacks on Machine Learning Systems (Chris Anley, NCC) A 40 page review, including a new taxonomy, how traditional attacks impact ML systems and a set of categorized references.
Software Visualization — Challenge, Accepted (Renato Kalman and Johan Wallin) Spotify discusses how they've adapted and extended the C4 model to help them understand and track their system architecture. I've been aware of C4 for a while, and most of the discussion I see is "this looks interesting," not "we adopted this."
A Few Good Performance Men (Rico Mariani) Nominally about performance, but in truth — you can't handle the truth! — it's also about security.

Originally published by Adam on 30 Jul 2022
Categories: software engineering security news application security

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The ATOM feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.