Appsec Roundup - September 2024

If you say threat modeling three times, it appears!

a photograph of a robot, sitting in a library, working on a jigsaw puzzle

If you say threat modeling three times, it appears! This month’s roundup focuses on recent in-depth threat modeling work, including academic papers, an Amazon white paper, and more. Also, exciting news from Shostack + Associates. There was less in AI, appsec or regulation that jumped out as worthy of rounding up.

Threat Modeling

The Threat Modeling Naturally Tool: An Interactive Tool Supporting More Natural Flexible and Ad-Hoc Threat Modeling, by Ron Thompson and many co-authors, at USENIX Symposium on Usable Privacy and Security (SOUPS). (Paper + tool release).
Bertram Dorn and Paul Vixie of AWS have a new whitepaper, Building security from the ground up with Secure by Design.
MITRE released a mini-site titled Threat Modeling with ATT&CK v1.0.0. Kudos to them for versioning their work.
Michael Nygard has a nice write up on using Architecture Decision Records in Documenting Architecture Decisions that I hadn’t seen before.
Security Challenges of Intent-Based Networking by Jiwon Kim and collaborators. Interesting because they usefully apply STRIDE to a diagram without ever engaging in any methodological discussion. I’m glad to see it (and slightly irked to not be cited 😉 ).

Shostack + Associates updates

Adam will be doing a book signing at the Pheonix Security booth at OWASP Global Appsec San Francisco on Friday the 27th at 3PM.
Adam will be keynoting ThreatModCon San Francisco (Sept 27-28), immediately after OWASP Global Appsec... and we’ll have our first ever trade show booth! We hope to see you there.
Also, our fall is filling up with training deliveries, so if you’re considering doing something, now is a great time to get on the schedule.
Lastly, each year large companies come to us wanting to spend budget by the end of the year. We usually make it work, but contracting often leads to delays. We’ve had customers for whom that phase takes 90 days or longer, and so if you think you’d like to invest in threat modeling training, why not reach out and get started?

Image by Midjourney: “a photograph of a robot, sitting in a library, working on a jigsaw puzzle”

Originally published by Adam on 25 Sep 2024
Categories: application security software engineering security