Shostack + Friends Blog


Application and AI roundup - September

September was a big month in appsec for both memory safety and policy an AI reading a book

September was a month big appsec month for both memory safety and policy, with a lot of sharp elbowed takes on C, and a lot of important developments in policy, including medical devices and open source.

C and Memory Safety


There's a short article, Software Must Be Secure by Design, and Artificial Intelligence Is No Exception, Christine Lai and Jonathan Spring, at CISA. I like their diagrams, and this will probably influence policy going forward.


  • The FDA has released their new final guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. This formally replaces guidance that’s nearly 9 years old, my comments are here, and since I wrote that, an excellent interview with Jessica Wilkerson of FDA appeared on GovInfoSecurity. [Update: The FDA has announced a webinar on the Final Guidance.]
  • CISA has released their open source strategy. It opens with the importance of partnering with the community.
  • The Office of the National Cyber Director is seeking comments on Open-Source Software Security: Areas of Long-Term Focus and Prioritization by October 9.
  • The city of Seattle is suing Hyudnai and Kia for not installing certain anti-theft technology which is standard across other car makers. (Story at Vice, complaint.) The core legal theory is “Car thefts are expensive and dangerous; Measures to Prevent Vehicle Theft Have Existed for Over a Century; Adoption of Modern Engine Immobilizers is widespread; Defendants’ Deviation from the Industry Standard.” (Pulling from the table of contents of the complaint). While I’m not a lawyer, it seems to me that this theory could apply to many things we do in the software world.

Threat Modeling

  • Excalidraw is a new, simple, free drawing tool that produces sketch-like drawings. The default shapes don’t include a drum, I added the “IT Icons” set to get that.
  • Seats remain available for my Threat Modeling Intensive at OWASP Gloabl AppSec DC, Nov 1-2. (In person only).

Image by Midjourney: a set of star wars critters being rounded up by a bot. Updated to add FDA webinar.