Shostack + Friends Blog
Posts in category “application security”
Appsec roundup - Feb 2026
This month's roundup starts with losing oneself, continues with cool new threat modeling tools and applications, and continues into appsec, AI and regulation.
Secure By Design roundup - Dec/Jan 2026
The normalization of deviance, exciting threat modeling news, and a question of do regulatory threats change ‘the threat model’ as much as GPS attacks? Not yet.
Secure By Design roundup - November 2025
Perspective on CISOs as facilitators, a deep dive into the types of diagrams for medical devices, poetry, Chinese LLMs, Chinese drones and Chinese routers. Do any of them contain secrets?
Secure By Design roundup - October 2025
Phil Venables is releasing a masterclass; new guidance from SAFECode, a new paper from JPMorganChase on their tools, how Facebook uses “waves”, a new AI shared responsibility model and more!
Secure By Design roundup - September 2025
The secret service, the CSRB, the CMMC, Sept was pretty busy in government. Plus Apple's Memory Integrity and a nice short paper on prompt-based attacks.
Secure By Design roundup - July/Aug 2025
All the exciting secure by design news from the end of summer
Appsec Roundup - June 2025
Lots of fascinating threat model-related advances, new risk management tools, games, and more!
Appsec Roundup - May 2025
Lots of fascinating threat model-related advances, new risk management tools, games, and more!
Appsec Roundup - April 2025
Threat modeling. So much threat modeling, and so much more, including foreshadowing of new rules from FDA.
Appsec Roundup - March 2025
Big news for LLMs in threat modeling!
Appsec Roundup - Feb 2025
New releases from DEF CON, the UK’s NCSC, some entertaining AI news, and more!
Appsec Roundup - Jan 2025
An exciting month, with new threat modeling tools, cool thoughts on STAMP, bounds checking, ADRs and more!
Appsec Roundup - Dec 2024
A virtual feast of appsec!
Appsec Roundup - Nov 2024
A virtual feast of appsec!
Appsec Roundup - Oct 2024
If you say liability three times, it appears!
Appsec Roundup - September 2024
If you say threat modeling three times, it appears!
Appsec Roundup - August 2024
The most important stories around threat modeling, appsec and secure by design for August, 2024.
Appsec Roundup - July 2024
The most important stories around threat modeling, appsec and secure by design for June, 2024.
Appsec Roundup - June 2024
The most important stories around threat modeling, appsec and secure by design for June, 2024.
Security Engineering roundup - May 2024
The most important stories around threat modeling, appsec and secure by design for May, 2024.
Secure by Design roundup - April 2024
A less busy month in appsec, AI, and regulation, but still interesting stories
Eternal sunshine of the spotless LLM
Making an LLM forget is harder than it seems
Secure by Design roundup - March 2024
A busy month in appsec, AI, and regulation.
Application and AI roundup - Feb 2024
A busy month in appsec, AI, and regulation.
Application and AI roundup - Jan 2024
A busy month+ in appsec, AI, and regulation.
The State of Appsec in 2024
2024 is bringing lots of AI, and Liability, too
Application and AI roundup - November
A threat modeling conference, lots of government appsec guidance, and some updates from Shostack + Associates
Application and AI roundup - October
Exciting news from the SEC, lots of AI, and lots of threat modeling.
Application and AI roundup - September
September was a big month in appsec for both memory safety and policy
Application and AI roundup - August
Lots of interesting work in LLMs (again)
Application and AI roundup - May
This month runs quite heavy on AI, but the CISA Safe by Design and Default document is going to be important for the next several years.
Five Threat Model Diagrams for Machine Learning
Some diagrams to help clarify machine learning threats
Cumulus
Cumulus is a cloud-oriented version of Elevation of Privilege
Application Security Roundup - March
A few tools, some thoughts on injection, some standards, and some of Adam’s appsec news.
Application Security Roundup - October and Nov
Interesting reads this month include signals from the administration, a history of appsec by one of the originals, and a longread from Apple about kernel memory design.
Application Security Roundup - September
Interesting appsec posts: machine learning, performance, and C4
Application Security Roundup - July
Interesting appsec posts: machine learning, performance, and C4
Application Security Roundup - June
Interesting appsec posts: from medical devices to bridges.
Application Security Roundup - May
A collection of interesting appsec posts.
25 Years of Appsec - Appsec Global
Adam is delivering the opening keynote for OWASP Global Appsec 2021 with a 25 year restrospective on the history of appsec and a look into its future.
25 Years in AppSec: Looking Back
Time flies and things change... A look back on the growth of this industry.
Pacific Northwest Appsec Conference
AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria.
CSO on AppSec at the Speed of Devops
[no description provided]