Secure By Design roundup - September 2025

The secret service, the CSRB, the CMMC, Sept was pretty busy in government. Plus Apple's Memory Integrity and a nice short paper on prompt-based attacks.

a photograph of a robot, sitting in a library, working on a jigsaw puzzle

Threat Modeling

The Secret Service announced they’d busted a SIM farm “used for swatting” and set off a bit of a firestorm. CNN has one of the more detailed stories. 404Media points out that The SIM Farm Hardware Seized by the Secret Service Is Also Popular With Ticket Scalpers. TProphet and Robert Grahamhave analyses in a debunking bluesky thread and a newsletter, respectively. (In Threats, I wrote that “the deeply democratic principle of one person, one phone is wrong,” but many people like use a wait and see demonstration of a threat. Well, you waited, you see, what are you going to do next?)
Bruce Schneier has a piece on Digital Threat Modeling Under Authoritarianism.

Appsec

Apple released an extensive blog post on Memory Integrity Enforcement. Nice work, and its important to recognize the value of platforms in enabling “undifferentiated” appsec, letting software producers focus on their unique threats.

AI

A team at the University of Wisconsin Madison has released Breaking to Build: A Threat Model of Prompt-Based Attacks for Securing LLMs, a remarkably concise review of prompt-based attacks. Because prompt injection is so funny, it’s easy to miss that it generally obviates any safeguard that the LLM is expected to impose within a system.

Regulation

Jeff Greene (who led the team that drafted EO 14028 which created the CSRB) has an article What’s Next for the Cyber Safety Review Board? It highlights the strange state of the board not being canceled by revisions to the EO, but also not being staffed, and makes suggestions for a new board charter.
Department of War Announces New Cybersecurity Risk Management Construct to replace CMMC. It lists ten principles, none of which really embrace the idea of secure by design or threat modeling.
Veerle van Harten and colleagues have an article Unfit for purpose? Assessing the applicability of country-level IoT security advice in which they check if manufacturer documentation helps users apply four basic bits of IoT security advice which exist across many standards:
1. Change the default password to a new strong password,
2. Use different passwords for different devices,
3. Install updates, and
4. Enable automated updates.
Spoiler: the docs consistently fail.

Shostack + Associates News

We’re launching a new course at OWASP Appsec Global DC: Threat Modeling Intensive with AI. How can we use LLMs to help us threat model effectively, and how can we use them to help scale? We’re a bit over a month away, and the content’s coming together nicely.
Adam will be keynoting at the main AppSec Global event.

Originally published by Adam on 01 Oct 2025
Categories: application security software engineering security