Shostack + Friends Blog

Posts in category "research papers"

Insecurity of Government Infrastructure

We have a new paper at NDSS (26 Feb 2024)

person creating smoke with handheld device

Threat Model Thursday: Technology Consumers

“It depends on your threat model...” (29 Apr 2021)

Mitigating Social Bias in Knowledge Graphs

Something to consider (04 Dec 2020)

Contextualisation of Data Flow Diagrams...

Contextualisation of Data Flow Diagrams for security analysis is a new paper to which I contributed. (09 Jun 2020)

'Best Practices for IoT Security'

There's an interesting new draft, Best Practices for IoT Security: What Does That Even Mean? by Christopher Bellman and Paul C. van Oorschot. (08 Jun 2020)

SDL Article in CACM

Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works. (11 May 2020)

Threat Model Thursday: Data Flow Diagrams

This week's threat model Thursday looks at an academic paper, Security Threat Modeling: Are Data Flow Diagrams Enough? by Laurens Sion and colleagues. (23 Apr 2020)

screenshot of first page of paper cited in the post

Empirical Evaluation of Secure Development Processes

Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success. (07 Dec 2019)

screenshot of article mentioned in this post

Valuing CyberSecurity Research Datasets

A paper at the Workshop on the Economics of Information Security titled “Valuing CyberSecurity Research Datasets” focuses on the value of the IMPACT data sharing platform at DHS, and how the availability of data shapes research. (26 Jul 2019)

Safety and Security in Automated Driving

Let’s explore the risks associated with Automated Driving. (08 Jul 2019)

screenshot of paper mentioned in this post

Polymorphic Warnings On My Mind

The more we see it, the more we ignore it. (29 May 2019)

Whitepaper cover: Measuring the Impact of DMARC's Part in Preventing Business Email Compromise

Measuring ROI for DMARC

I'm pleased to be able to share work that Shostack + Associates and the Cyentia Institute have been doing for the Global Cyber Alliance. (16 Oct 2018)

Learning from Near Misses

[no description provided] (04 Dec 2017)

“Comparing the Usability of Cryptographic APIs”

[no description provided] (20 Jul 2017)

Adam & Chris Wysopal webcast

[no description provided] (24 May 2017)

“...the Elusive Goal of Security as a Scientific Pursuit”

[no description provided] (25 Apr 2017)

Cyber Grand Shellphish

[no description provided] (24 Apr 2017)

Cyber Balance Sheet

[no description provided] (18 Apr 2017)

Calls for an NTSB?

[no description provided] (20 Feb 2017)

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The RSS feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.

Our site works best with Javascript enabled, however we have done our best to minimize any negative impacts to your experience without it.