Shostack + Friends Blog

Posts in category "cloud security"

a photograph of a robot, sitting in a library, working on a jigsaw puzzle

Appsec Roundup - Oct 2024

If you say liability three times, it appears! (30 Oct 2024)

The Universal Cloud TM -- Threat Model Thursday

A new universal threat model - what can we learn from it? (06 Jun 2024)

An AI image of A person typing at a computer in a text on screen, but the words are changed on the monitor of a different person's screen

Sutter on Safety

What do we need to assess if memory safe langages are 'sufficient'? (29 Apr 2024)

Cartoon talk bubbles on the report title

Other comments on the CSRB Microsoft Report

Other people have written about the CSRB report, and I wanted to share their perspectives. (17 Apr 2024)

The cover page from the Computer Safety Review Board’s ‘Review of the Summer 2023 Microsoft Exchange Online Intrusion’

CSRB Report on Microsoft

The CSRB has released its report into an intrusion at Microsoft, and...it’s a doozy. (13 Apr 2024)

Insecurity of Government Infrastructure

We have a new paper at NDSS (26 Feb 2024)

Application and AI roundup - May

This month runs quite heavy on AI, but the CISA Safe by Design and Default document is going to be important for the next several years. (30 May 2023)

A set of cards with threats like our deployment artifacts contain secrets that can be extracted

Cumulus

Cumulus is a cloud-oriented version of Elevation of Privilege (06 Apr 2023)

Threat Modeling Google Cloud (Threat Model Thursday)

NCC has released a threat model for Google Cloud Platform. What can it teach us? (01 Mar 2023)

Application Security Roundup - Feb

This month is all about memory safety, unless you’re a standards group. (27 Feb 2023)

How Are Computers Compromised (2020 Edition)

Understanding the way intrusions really happen is a long-standing interest of mine. (20 May 2020)

Actionable Followups from the Capital One Breach

What have we learned and what steps can we take? (30 Jul 2019)

Threat Model Thursday: Google on Kubernetes

[no description provided] (24 May 2018)

Threat Modeling Tooling from 2017

[no description provided] (28 Dec 2017)

Threat Modeling Password Managers

[no description provided] (17 Jul 2017)

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The RSS feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.