Shostack + Friends Blog

Posts in category “compliance”

OWASP Keynote Available for Viewing!

Watch Adam's keynote 'Stop Trying to 'Manage Risk'' From OWASP 2025 (17 Dec 2025)

The Cyber Resilience Act (CRA)!

The CRA is coming and it's going to be a dramatic change for technology producers (15 Jul 2025)

Security Researcher Comments on HIPAA Security Rule

A group of us have urged HHS to require better handling of security reports (20 Mar 2025)

Healthcare Info Security: Podcast Episode with Marianne Kolbasuk McGee

Adam on Healthcare Info Security podcast (07 Apr 2024)

The Appsec Landscape in 2023

External changes will be driving appsec in 2023. It’s time to frame the decisions in front of you. (05 Jan 2023)

How Executives Can Use Threat Modeling

You don’t have to be technical, but you can’t make informed decisions about your business without threat modeling. (18 Mar 2022)

NIST Brings Threat Modeling into the Spotlight

New at Darkreading, a post on NIST and threat modeling (23 Sep 2021)

Using Threat Modeling to Improve Compliance (TM Thursday)

Threat model Thursday is not just back, but live again! (20 May 2021)

A PCI Threat Model

Compliance isn't Security, oh and something I wrote. (24 Sep 2020)

3 Arguments for Threat Modeling

Top 3, from Continuum (24 Apr 2019)

Incentives and Multifactor Authentication

What if we gamified security? (01 Feb 2019)

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The RSS feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.