Appsec roundup - March 2026

a photograph of a robot, sitting in a library, working on a jigsaw puzzle. The robot holds up the jigsaw puzzle

This month leads off with Donald Knuth’s Claude’s Cycles:

Shock! Shock! I learned yesterday that an open problem I’d been working on for several weeks had just been solved by Claude Opus 4.6 — Anthropic’s hybrid reasoning model that had been released three weeks earlier! It seems that I’ll have to revise my opinions about “generative AI” one of these days. What a joy it is to learn not only that my conjecture has a nice solution but also to celebrate this dramatic advance in automatic deduction and creative problem solving.

Threat Modeling

Corporate Compliance Insights has a long article explaining that Warranty Language Might Be Your Biggest Right-to-Repair Liability. And while this might seem to fit in the regulation section below, it also influences your security design: “If the restriction is software-enabled (diagnostics, pairing, firmware locks), the story can become exclusion by design, not brand protection.” So you need to think about the relationship of your boundaries to right-to-repair.
Yi Ting Shen, Kentaroh Toyoda, Alex Leung shared MCP-38: A Comprehensive Threat Taxonomy for Model Context Protocol Systems (v1.0). It’s nicely deep and clearly written.

Appsec

Introducing the WebPKI Observatory by Ryan Hurst.

AI

In A GitHub Issue Title Compromised 4,000 Developer Machines, Grith analyzes a chain of issues that lead to thousands of packages being compromised. The core issue is giving agents the full authority of humans, in systems where humans have tremendous authority because predicting what authority they’ll need is hard.

Regulation

Tanya Janca’s secure coding petition to the government of Canada has passed the bar for consideration in Parliament. She asks: “If you are a citizen or permanent resident, sign petition E-7115, and write or call your MP to explain to them why having a standard across all governmental organizations is critical for protecting Canada.” And based on our conversation, even a few people per riding can make a big difference in what happens when it reaches a vote.
The White House released cybersecurity strategy. It’s refreshingly short and also short on details.
Alyssa Pugh writes that the Updated FFIEC IT Examination Handbook Removed Reputation Risk References.

Shostack + Associates News

We launched a new course, Threat Modeling AI Systems, led by Michael Novak and Shoshana Cox. The first one will be in person in Washington DC, May 19-20.
RSA/BSides week was amazing. Adam Shostack spoke with Adrian Sanabria on A Failure is a Terrible Thing to Waste, and Kymberlee’s reflection post is live at Sunshine and Security – Kymberlee’s week at BSides SF and RSAC 2026.
Adam and Erik Service will be delivering a Threat Modeling Intensive course at OWASP Global Appsec Vienna, June 23-24.
The team will be delivering Adam Shostack's Threat Modeling Intensive With Complete AI. This new, four-day course will include both core threat modeling skills, using LLMs to help you threat model, and threat modeling LLM-centered systems.

Originally published by Adam on 31 Mar 2026
Categories: application security software engineering security