Shostack + Friends Blog

Adam is delivering the opening keynote for OWASP Global Appsec 2021 with a 25 year restrospective on the history of appsec and a look into its future. (11 Nov 2021)

New at Darkreading, a post on NIST and threat modeling (23 Sep 2021)

Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future. (15 Jul 2021)

Apple has released ‘Device and Data Access when Personal Safety is At Risk’ and I wanted to explore it a bit. (06 May 2021)

If everyone agrees on what we should do, why do we seem incapable of doing it? (23 Apr 2021)

Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling. (22 Apr 2021)

As the expression goes, no one cares about backups, they care about restores. Do yours work? (03 Jan 2021)

A few tidbits in recent news. (11 Dec 2019)

Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success. (07 Dec 2019)

My talks from AppSecCali 2019 (13 Mar 2019)

A new game from SANS for understanding pen test methodology, tactics, and tools. (17 Dec 2018)

The House Oversight Committee has released a scathing report on Equifax... (11 Dec 2018)

[no description provided] (02 Oct 2018)

Near misses are an important source of information for avoiding accidents, and it's a shame we don't use them in cybersecurity. (06 Feb 2018)

[no description provided] (04 Dec 2017)

[no description provided] (23 Oct 2017)

[no description provided] (26 Sep 2017)