Shostack + Friends Blog

Threat modeling. So much threat modeling, and so much more, including foreshadowing of new rules from FDA. (27 Apr 2025)

Big news for LLMs in threat modeling! (02 Apr 2025)

New releases from DEF CON, the UK’s NCSC, some entertaining AI news, and more! (03 Mar 2025)

An exciting month, with new threat modeling tools, cool thoughts on STAMP, bounds checking, ADRs and more! (12 Feb 2025)

A virtual feast of appsec! (31 Dec 2024)

A virtual feast of appsec! (05 Dec 2024)

If you say liability three times, it appears! (30 Oct 2024)

If you say threat modeling three times, it appears! (25 Sep 2024)

The most important stories around threat modeling, appsec and secure by design for August, 2024. (02 Sep 2024)

The most important stories around threat modeling, appsec and secure by design for June, 2024. (02 Aug 2024)

The most important stories around threat modeling, appsec and secure by design for June, 2024. (10 Jul 2024)

The most important stories around threat modeling, appsec and secure by design for May, 2024. (30 May 2024)

A less busy month in appsec, AI, and regulation, but still interesting stories (08 May 2024)

Making an LLM forget is harder than it seems (21 Apr 2024)

A busy month in appsec, AI, and regulation. (29 Mar 2024)

A busy month in appsec, AI, and regulation. (05 Mar 2024)

A busy month+ in appsec, AI, and regulation. (29 Jan 2024)

2024 is bringing lots of AI, and Liability, too (02 Jan 2024)

A threat modeling conference, lots of government appsec guidance, and some updates from Shostack + Associates (30 Nov 2023)

Exciting news from the SEC, lots of AI, and lots of threat modeling. (09 Nov 2023)

September was a big month in appsec for both memory safety and policy (04 Oct 2023)

Lots of interesting work in LLMs (again) (30 Aug 2023)

This month runs quite heavy on AI, but the CISA Safe by Design and Default document is going to be important for the next several years. (30 May 2023)

Some diagrams to help clarify machine learning threats (13 Apr 2023)

Cumulus is a cloud-oriented version of Elevation of Privilege (06 Apr 2023)

A few tools, some thoughts on injection, some standards, and some of Adam’s appsec news. (05 Apr 2023)

Interesting reads this month include signals from the administration, a history of appsec by one of the originals, and a longread from Apple about kernel memory design. (30 Nov 2022)

Interesting appsec posts: machine learning, performance, and C4 (30 Sep 2022)

Interesting appsec posts: machine learning, performance, and C4 (30 Jul 2022)

Interesting appsec posts: from medical devices to bridges. (28 Jun 2022)

A collection of interesting appsec posts. (12 May 2022)

Adam is delivering the opening keynote for OWASP Global Appsec 2021 with a 25 year restrospective on the history of appsec and a look into its future. (11 Nov 2021)

Time flies and things change... A look back on the growth of this industry. (09 Aug 2021)

AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria. (14 May 2021)

(24 Mar 2021)

[no description provided] (06 Aug 2018)