Shostack + Friends Blog

Posts in category “information security”

25 Years of Appsec - Appsec Global

Adam is delivering the opening keynote for OWASP Global Appsec 2021 with a 25 year restrospective on the history of appsec and a look into its future. (11 Nov 2021)

NIST Brings Threat Modeling into the Spotlight

New at Darkreading, a post on NIST and threat modeling (23 Sep 2021)

Threat Model Thursday: NIST’s Code Verification Standard

Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future. (15 Jul 2021)

Apple Guidance on Intimate Partner Surveillance

Apple has released ‘Device and Data Access when Personal Safety is At Risk’ and I wanted to explore it a bit. (06 May 2021)

This time for sure, Pinky!

If everyone agrees on what we should do, why do we seem incapable of doing it? (23 Apr 2021)

IoT Security & Threat Modeling

Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling. (22 Apr 2021)

It's 2021: Have you checked your backups?

As the expression goes, no one cares about backups, they care about restores. Do yours work? (03 Jan 2021)

Encryption & Privacy Policy and Technology

A few tidbits in recent news. (11 Dec 2019)

Empirical Evaluation of Secure Development Processes

Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success. (07 Dec 2019)

A Seat At The Table (AppSecCali)

My talks from AppSecCali 2019 (13 Mar 2019)

Pivots and Payloads

A new game from SANS for understanding pen test methodology, tactics, and tools. (17 Dec 2018)

House Oversight Committee on Equifax

The House Oversight Committee has released a scathing report on Equifax... (11 Dec 2018)

CVE Funding and Process

[no description provided] (02 Oct 2018)

Doing Science with Near Misses

Near misses are an important source of information for avoiding accidents, and it's a shame we don't use them in cybersecurity. (06 Feb 2018)

Learning from Near Misses

[no description provided] (04 Dec 2017)

20 Year Software: Engineering and Updates

[no description provided] (23 Oct 2017)

It's Not The Crime, It's The Coverup or the Chaos

[no description provided] (26 Sep 2017)

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The RSS feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.