Shostack + Friends Blog


Application and AI roundup - November

A threat modeling conference, lots of government appsec guidance, and some updates from Shostack + Associates Jigsaw pieces fitting together

Threat Modeling

  • The first ever threat modeling conference (ThreatModCon) was held in Washington DC! It was sold out with 130 attendees from around the world. I delivered a segment for the keynote which you can watch here. You can also read the official recap and Tanya Janca’s recap which covers ThreatModCon and also OWASP and her joining me to deliver training.
  • Excalidraw has added a text to diagram feature. It’s under the tools menu on the far right of the toolbar. (video demo.)


  • The UK’s National Cyber Security Center released Guidelines for secure AI system development with CISA and a score of agencies from around the world. These multi-national guidelines are a fascinating trend.
  • I think something happened at OpenAI? Perhaps the most entertaining detail was Microsoft apparently had to promise that OpenAI employees wouldn’t have to use Microsoft Teams if they took jobs at Microsoft.

Application Security

  • CISA released v2 of their Security By Design document
  • Alex Gantman has posted an interesting critique of Ross Anderson’s Security Engineering.
  • The paper GWP-ASan: Sampling-Based Detection of Memory-Safety Bugs in Production reports on a sampling approach to detecting memory safety bugs now deployed in Chrome, Firefox, Android, both of Apple's operating systems and Linux. Microsoft is noticably absent. They explicitly frame that “GWP-ASan is not a security mitigation tool due to its low detection probability.” But it’s still very cool. Appsec practitioners should pay attention to the focus on practicality that eluded earlier versions of similar ideas.
  • A blog post titled Accessibility training will not save you would be the latest in my ongoing series “We can replace the string X with ‘security’”. Except the author discusses security, saying “.. everyone who writes software should have a concept of security and best practices, it's a complex field, and if you want to do it well you need people with expertise.” Such optimism! I still see lots of organizations which treat security as a tool problem, where they have not really reached that understanding. Regardless, it may be useful to see security challenges reflected through this lens.

Shostack + Associates updates

Above I've rounded up the most important industry news I saw in November. I also want to share that here at Shostack + Associates, we have a couple of companies who are spending “use it or lose it” budget on our self-paced training courses. I’m very appreciative, and if you’re a leader wondering what to get your folks, let me suggest some training?

Also, here at Shostack + Associates, we’ve got a new training page, we renamed a course from “Engineers” to “Essentials”, we added some of our associates to a new about page, and updated the menu at the top of the website to mention all the Services we offer.

Lastly, there's some great discounts on my new Threats book, including 60% off as an audio book, and a Humble Bundle with it and many other great books from Wiley. I may humbly suggest, even a Trek geek would appreciate a Star Wars book as a stocking stuffer.

Image by Midjourney: “puzzle pieces, people collaborating and putting together puzzle pieces, green, blue simplistic, puzzle pieces, studio background, primitivist style, precisionist lines --ar 8:3”