Shostack + Friends Blog

 

Appsec roundup - June 2026

From near misses to a new book on the C4 model and fundamental work by NIST showing the limits of today’s AI Guardrails, lots of exciting news about Application security. a photograph of a robot, sitting in a library, working on a jigsaw puzzle.

This month leads off with Close Calls in Cyberspace: Strengthening Cybersecurity by Learning from Near-Misses by Tommy van Steen, Jeroen Wolbers, and Cristina Del-Real. I’m happy to see research on how we can learn faster and better. All of our security work should be informed by experience, and near misses should be a rich source of such experience.

Threat Modeling

  • Simon Brown has an O’Reilly book on the C4 Model. Amazon says it’ll be out this month.
  • ThreatModCon Vienna happened: I was honored to be part of the unkeynote, which focused on the role of the Threat Modeling Manifesto in a changing world. We talked about the importance of a journey of understanding, and how AI can exemplify both the “Hero Threat Modeler” and “Tendency to Overfocus” anti-patterns. I also led a mastermind session on how to apply layers, and James Reason’s “Swiss Cheese Model” to defenses stretching our answers to “What are we going to do about it?” beyond “controls” or mitigations.
  • Adam presenting an awared to Brook
  • Saving the best for last, the conference awarded Brook Schoenfield a lifetime achievement award. Brook was coincidentally in Vienna for vacation earlier in the week, so we presented him with the certificate on Tuesday, and I led a celebration on Saturday. (I hope to blog more about each of these over the coming weeks.)

Appsec

AI

Games Received

  • Cyber Defense Dice, created by Steven Furnell and team and the University of Nottingham. “A Cyber Awareness Game of Attack and Defence for 2 Players or Teams. Easy to play and suitable for casual use or as an engaging activity for cyber security awareness-raising sessions.”

A set of dice


Shostack + Associates News