Secure By Design roundup - September 2025
The secret service, the CSRB, the CMMC, Sept was pretty busy in government. Plus Apple's Memory Integrity and a nice short paper on prompt-based attacks.
Threat Modeling
- The Secret Service announced they’d busted a SIM farm “used for swatting” and set off a bit of a firestorm. CNN has one of the more detailed stories. 404Media points out that The SIM Farm Hardware Seized by the Secret Service Is Also Popular With Ticket Scalpers. TProphet and Robert Grahamhave analyses in a debunking bluesky thread and a newsletter, respectively. (In Threats, I wrote that “the deeply democratic principle of one person, one phone is wrong,” but many people like use a wait and see demonstration of a threat. Well, you waited, you see, what are you going to do next?)
- Bruce Schneier has a piece on Digital Threat Modeling Under Authoritarianism.
Appsec
- Apple released an extensive blog post on Memory Integrity Enforcement. Nice work, and its important to recognize the value of platforms in enabling “undifferentiated” appsec, letting software producers focus on their unique threats.
AI
- A team at the University of Wisconsin Madison has released Breaking to Build: A Threat Model of Prompt-Based Attacks for Securing LLMs, a remarkably concise review of prompt-based attacks. Because prompt injection is so funny, it’s easy to miss that it generally obviates any safeguard that the LLM is expected to impose within a system.
Regulation
- Jeff Greene (who led the team that drafted EO 14028 which created the CSRB) has an article What’s Next for the Cyber Safety Review Board? It highlights the strange state of the board not being canceled by revisions to the EO, but also not being staffed, and makes suggestions for a new board charter.
- Department of War Announces New Cybersecurity Risk Management Construct to replace CMMC. It lists ten principles, none of which really embrace the idea of secure by design or threat modeling.
- Veerle van Harten and colleagues have an article
Unfit for purpose? Assessing the applicability of country-level IoT
security advice in which they check if manufacturer
documentation helps users apply four basic bits of IoT security
advice which exist across many standards:
- Change the default password to a new strong password,
- Use different passwords for different devices,
- Install updates, and
- Enable automated updates.
Shostack + Associates News
- We’re launching a new course at OWASP Appsec Global DC: Threat Modeling Intensive with AI. How can we use LLMs to help us threat model effectively, and how can we use them to help scale? We’re a bit over a month away, and the content’s coming together nicely.
- Adam will be keynoting at the main AppSec Global event.