Shostack + Friends Blog


Secure by Design roundup - March 2024

A busy month in appsec, AI, and regulation. a robot reading a book

Breaking: Alec Muffett reports that Ross Anderson has passed away. Ross was a giant of the field and I’m shocked.


  • The White House released a report on memory safe languages. Stop, read those words again. That the White House is involved should not be a shocker to readers of this blog, and it represents a fascinating state of the evolution of the conversation around memory safety that it would reach that level. (Press release, technical report.)
  • CISA has released their secure software attestation form, which means the 90 day clock is ticking. Tech Target points out that it doesn’t include SBOMs.
  • FDA is updating their 524B guidance. (Update: AAMI has a summary of the update.)

Application Security

  • Interesting post: The most important goal in designing software is understandability. Doesn’t mention threat modeling, but there’s a strong overlap.
  • Herb Sutter writes about Safety in Context. I’ll have more to say about this, but he raises some provocative questions about “sufficient,” and is best read in the context of the White House calling for memory safe languages to replace C++.
  • The LINDDUN team has a new edition of LINDDUN GO, and were kind enough to send me a copy.

Threat Modeling

People are raving out our new whitepaper on Inherent Threats! (Blog overview or direct link.) I expect to be talking about it at Threatmodcon in Lisbon.

Shostack + Associates updates

Open trainings: Our next Essentials (one day) course is at Archimedes in New Orleans (April 30), and two Intensives in person at Blackhat (both two days), which are Aug 3-4 or Aug 5-6

And last but not least, my book Threats is available in Italian!

    Una guida pratica per scrivere applicazioni sicure, con l'aiuto dei tuoi maestri Jedi, Sith e droidi preferiti.
  • Le principali minacce informatiche che ogni ingegnere dovrebbe conoscere.
  • Semplici framework di sicurezza del software da integrare nei propri sistemi.
  • Strategie per costruire sistemi sicuri per team di lavoro di grandi dimensioni.
  • Strategie usate dagli hacker per violare sistemi.

Image by Midjourney: “robot reading many books::2 , while being hacked. The robot is sitting on a bench in front of the white house. There is a stack of books on the bench. The image is cinematic, dramatic, professional photography, studio lighting, studio background, advertising photography, intricate details, hyper-detailed --v 6.0 --ar 8:3”