Shostack + Friends Blog


Application Security Roundup - June

Interesting appsec posts: from medical devices to bridges. A set of puzzle pieces

The most interesting #appsec articles I read this month were all about requirements — from medical devices to bridges.

Many of us in cybersecurity are told to avoid what the client thinks is meaningless cost and delay — or worse, looking under rocks for fear of what we'll see. Clearer guidance can help, but as Dr. Depmsey says in his Lawfare article, a lot is subsumed into what risk management is appropriate. Licensed engineers can be sanctioned, which gives them a basis to assert that steps are essential. We often lack data to quantify the probability that specific threats will manifest or to predict the outcomes, but that doesn't mean we should skip the geotechnical investigation.