Shostack + Friends Blog

The definition of insanity is doing the same thing over and over and expecting different results. We can do better, and a major new report explains how. (15 Nov 2021)

Adam is delivering the opening keynote for OWASP Global Appsec 2021 with a 25 year restrospective on the history of appsec and a look into its future. (11 Nov 2021)

The pandemic gives us a chance to evaluate AI tools...you'll be shocked to discover how they did. (04 Aug 2021)

Phil Bull presents an interesting, generally convincing, argument in 'Why you can ignore reviews of scientific code by commercial software developers', with a couple of exceptions. (26 May 2020)

Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success. (07 Dec 2019)

I'm happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance. (13 Jun 2019)

The more we see it, the more we ignore it. (29 May 2019)

Over-inflated numbers won't scare me into buying your 'solution'. (02 Apr 2019)

Airplanes are filthy... (01 Nov 2018)

I'm pleased to be able to share work that Shostack + Associates and the Cyentia Institute have been doing for the Global Cyber Alliance. (16 Oct 2018)

[no description provided] (31 May 2018)

[no description provided] (03 Apr 2018)

[no description provided] (25 Aug 2017)