Shostack + Friends Blog


Security Engineering roundup - May 2024

The most important stories around threat modeling, appsec and secure by design for May, 2024. a photograph of a robot, sitting in a library, working on a jigsaw puzzle

A memorial service for Ross Anderson will be held June 22 in Cambridge. Bruce Schneier wrote an obituary for Ross at CACM. I’m told there will be a way to view the service remotely, and will add it here.

Threat Modeling


The OpenSSF released their Compiler Options Hardening Guide for C and C++. It's very good, and I hate that people need to read it. I'd like to see more than good documentation, I’d GCC + Clang options such as -security-openssf-current, -security-openssf-2024a, or even -no-security-openssf that does the right thing. The various forms could clear how the right thing is being defined, as current (most secure) or by date (least likely to break something). This is more than a random opinion, I’ve been talking about the problem, as it turns out, for almost a full twenty years, going back to a 2004 blog, Ranum on the root of the problem.


Shostack + Associates updates

  • We have upcoming open trainings at OWASP Global AppSec Lisbon June 25-26 and >Blackhat, August 3-4 and August 5-6.
  • Adam will be speaking at ThreatModCon Lisbon, and Shostack + Associates is sponsoring. We have discount codes to give out, contact us!
  • Also, the magic is back... Magic Security Dust that is. (Our training magic never left.) Visit Agile Stationery to order, the website will be updated soon to reflect the new stock.

Image by Midjourney: “a photograph of a robot, sitting in a library, working on a jigsaw puzzle --ar 8:3”