Is Cybersecurity Awareness Month Worth the Money?
How can we measure the ROI on an awareness month?
Shostack + Friends Blog
Posts in category "security"
Why do we call them trust boundaries?
Why do we call them trust boundaries, anyway?
Patching in 2024
In late 2024, people are being offered a choice of features versus security.
Appsec Roundup - Oct 2024
If you say liability three times, it appears!
25 Years of CVE
Some thoughts on 25 years of the CVE program
OWASP Board 2024
Time to vote for OWASP leadership
Appsec Roundup - September 2024
If you say threat modeling three times, it appears!
Secure Boot and Liability
Secure boot presents questions that should inform the liability conversation
Google Health Symposium
Slides from Adam's talk at the Symposium
Appsec Roundup - August 2024
The most important stories around threat modeling, appsec and secure by design for August, 2024.
Secure Boot and Secure by Design
The failure to secure boot keys should be a bigger deal.
Handling Pandemic-Scale Cyber Threats (preprint)
A new paper on 'Pandemic Scale Cyber Events
Appsec Roundup - July 2024
The most important stories around threat modeling, appsec and secure by design for June, 2024.
The Goals of Cyber Public Health
Cyber Public Health is prompting fascinating conversations
Hard Problems + Cyber Public Health
Adam's presentation to a National Academies Panel
Google on Cyber Public Health
Google calls attention to our Cyber Public Health work
Hard Problems + Cyber Public Health
Adam will be presenting to a National Academies Panel
Appsec Roundup - June 2024
The most important stories around threat modeling, appsec and secure by design for June, 2024.
97 Things Every Application Security Professional Should Know
Proud to be an O’Reilly author!
First Workshop on Cyber Public Health
The first workshop on cyber public health was so exciting. Check out the report!
Lockbit, a study in public health
Why is it hard to count lockbit infections?
Scale to Zero
Adam on the Scale to Zero podcast
William Anders
Commemorating William Anders
Security Engineering roundup - May 2024
The most important stories around threat modeling, appsec and secure by design for May, 2024.
Secure by Design roundup - April 2024
A less busy month in appsec, AI, and regulation, but still interesting stories
RSA 2024
A great threat modeling talk at RSA 2024
Happy Star Wars Day
Sutter on Safety
What do we need to assess if memory safe langages are 'sufficient'?
Eternal sunshine of the spotless LLM
Making an LLM forget is harder than it seems
Other comments on the CSRB Microsoft Report
CSRB Report on Microsoft
The CSRB has released its report into an intrusion at Microsoft, and...it’s a doozy.
Introducing Magic Security Dust!
Secure by Design roundup - March 2024
A busy month in appsec, AI, and regulation.
The NVD Crisis
The NVD is in crisis, and so is patch management. It’s time to modernize.
The British Library’s Incident Review
Thoughts on the British Library incident
Application and AI roundup - Feb 2024
A busy month in appsec, AI, and regulation.
Solving Hallucinations
Solving hallucinations in legal briefs is playing on easy mode —— and still too hard
The Security Table: Podcast Episode with Chris Romeo
Adam on The Security Table podcast
Application and AI roundup - Jan 2024
A busy month+ in appsec, AI, and regulation.
CSRB Senate Hearing
Comments following the Senate’s CSRB hearing
Red Queen Dynamics: Podcast Episode with Tarah Wheeler
Adam on Red Queen Dynamics podcast
The State of Appsec in 2024
2024 is bringing lots of AI, and Liability, too
Think like Sieged-sec?
Yet again, attackers surprise us
Think like Alph-V?
Application and AI roundup - November
A threat modeling conference, lots of government appsec guidance, and some updates from Shostack + Associates
C2PA Threat Modeling
What can we learn from the C2PA security considerations document?
Threat Modeling Thursday: Thanksgiving
What can we learn from Gunnar Peterson’s Threat Model for Thanksgiving?
Application and AI roundup - October
Exciting news from the SEC, lots of AI, and lots of threat modeling.
Security Principles in 2023
Principles are lovely, but do they lead us to actionable results?
Adversarial Thinking and Wargames
Thinking about adversarial thinking
Application and AI roundup - September
September was a big month in appsec for both memory safety and policy
FDA Final Cyber Guidance is out
The FDA has released their new guidance, which will be broadly impactful.
Comparing Retrospectives
We can learn a lot from comparing retrospectives
Application and AI roundup - August
Lots of interesting work in LLMs (again)
ML Sec Ops: Feature with Diana Kelley
Adam featured on ML Sec Ops podcast
Use the Defcon Wifi
Why it’s ok to use the Defcon wifi
SEC Cybersecurity Rules
The SEC has important new cybersecurity rules
Chuck, Acme, and Remediation Avoidance
Threat modeling really CAN save you money, just ask Chuck!
Threat Modeling and Secure by Design
Our feedback to CISA is now public
Microsoft Can Fix Ransomware Tomorrow
My latest at Dark Reading draws attention to how Microsoft can fix ransomware tomorrow.
AI will be the high interest credit card of 2023
AppSecPNW 2023
Adam's AppSecPNW 2023 keynote
Application and AI roundup - May
This month runs quite heavy on AI, but the CISA Safe by Design and Default document is going to be important for the next several years.
The Cyber Safety Review Board Should Investigate Major Historical Incidents
Tarah Wheeler and Adam write in CFR
Layoffs in Responsible AI Teams
Some inferences from layoffs in responsible AI teams
Threats Book News and Updates for April
Book signings at RSA, big discounts and more!
Five Threat Model Diagrams for Machine Learning
Some diagrams to help clarify machine learning threats
Reflecting on Threats: The Frame
Reflecting on the framing of the Threats book
Application Security Roundup - March
A few tools, some thoughts on injection, some standards, and some of Adam’s appsec news.
The National CyberSecurity Strategy: Liability is Coming
My David Prouse Moment
Searching my feelings as the audiobook of Threats is released.
Application Security Roundup - Feb
This month is all about memory safety, unless you’re a standards group.
Usable Security and Privacy for Engineers
The new IEEE S+P is all about usable security.
Application Security Roundup - January
So many interesting articles from AI to an organizatoion of socio-technical harms, fascinating incident reports about Uber and Circle CI and some history of attack trees.
The Hacker Mind
Adam spoke with Robert Vamosi of The Hacker Mind podcast
Not all developers can be Jedi
Adam joined Paul Roberts on the Conversing Labs podcast
Threats, To The Supply Chain
The threats book is in the supply chain, inconsistently.
Threats Book Launch Party
The live launch party for Threats!
Threats Book is Complete
The serious side of the book
Threats: The Table of Contents
Like the Force, each threat has a light side, and a dark side.
Threat Modeling is Measure Twice, Cut Once
Threat Modeling is the software version of measure twice, cut once.
The Appsec Landscape in 2023
External changes will be driving appsec in 2023. It’s time to frame the decisions in front of you.
Fast, Cheap and Good, Redux
A new paper on how fast, cheap and good can combine into something we usually discount.
Usable Security Matters
Usable security matters
The Threats book is complete
Threats is almost in bookstores
Cybersecurity Magazine: Podcast Episode with Han Christian Rudolph
Adam on CSM podcast
Application Security Roundup - October and Nov
Interesting reads this month include signals from the administration, a history of appsec by one of the originals, and a longread from Apple about kernel memory design.
Trainings and discounts
People learning together
Application Security Roundup - September
Interesting appsec posts: machine learning, performance, and C4
Threat Modeling for Security Champs
Our next open course is in just a few weeks!
Threat Modeling Training Announcements Fall, 2022
Our fall course offerings
Threats — The Cover
So excited to share the cover with you
Podcast: A Fully Trained Jedi
A fun podcast with the ITSP team.
Application Security Roundup - July
Interesting appsec posts: machine learning, performance, and C4
Major Cyber Incidents Investigations
I'm thrilled this how to guide for standing up new investigations is available.
Congratulations to the CSRB!
I'm thrilled the first CSRB report is available.
Application Security Roundup - June
Interesting appsec posts: from medical devices to bridges.
Authentic Thoughts About What Can Go Wrong
Threat modeling doesn't need to be big and complex
A Science of Cybersecurity Public Health
I've been working with the CyberGreen Institute to develop public health as a way of thinking about cybersecurity.
Application Security Roundup - May
A collection of interesting appsec posts.
on the security of Star Wars
Adam joined Josh and Kurt on the Open Source Security podcast
Happy Star Wars Day: A Big Announcement & Small Gift
Exciting news from Adam Shostack on Star Wars Day 2022
CyberPeace
A new book on cyberpeace!
FDA Draft Premarket Guidance
The FDA has issued draft guidance for pre-market security
I need an extension!
A few lessons from the Mazda radio incident.
Ten Questions we hope the CSRB answers
The new Cyber Safety Review Board is an opportunity to get better faster.
Wearing Many Hats
Fascinating history of a transformation in how hackers were seen.
FDA Threat Modeling Playbook Now Available
How to threat model medical devices? The FDA has released a playbook!
Learning Lessons from Aviation
The definition of insanity is doing the same thing over and over and expecting different results. We can do better, and a major new report explains how.
25 Years in AppSec: Looking Back
Time flies and things change... A look back on the growth of this industry.
Ransomware is Not the Problem
Arbitrarily powerful software -- applications, operating systems -- is a problem, as is preventing it from running on enterprise systems.
Thoughts on the Executive Order
A new article by Steve Bellovin and myself at Lawfare.
Van Buren
The Supreme Court has ruled in the van Buren case, and there's a good summary on the Eff's blog.
NSF Wants Data on Your Data Needs
The National Science Foundation is looking for information on needs for datasets.
Colonial Pipeline, Darkside and Models
The Colonial Pipeline shutdown story is interesting in all sorts of ways, and I can't delve into all of it.I did want to talk about one small aspect, which is the way responders talk about Darkside.
Pacific Northwest Appsec Conference
AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria.
Apple Guidance on Intimate Partner Surveillance
Apple has released ‘Device and Data Access when Personal Safety is At Risk’ and I wanted to explore it a bit.
The Updates Must Go Through
The timing of updates is not coincidental.
Mmmm, Pandemic Puppies
Podcast on Using Games
It would be trite writing to say it was fun to be on a podcast with Volko Ruhnke and Hadas Cassorla to talk about using games to teach. And while it was, it was really educational and inspirational. I learned from both of them, and I hope you enjoy the podcast as well!
Fireeye Hack & Culture
Thoughts on the recent Fireeye Hack and the culture surrounding breaches
Training: Threat Modeling for Security Champions
Expanding on our distributed class structure.
Amicus Brief on CFAA
I recently signed onto the amicus brief on the Van Buren/Computer Fraud and Abuse Act filed by the Electronic Frontier Foundation.
Internet Society Opposition to LAED Act
The Internet Society Open Letter Against Lawful Access to Encrypted Data Act was published this morning.
Threat Research: More Like This
I want to call out some impressive aspects of a report by Proofpoint.
Sonatype Report on DevSecOps
The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness.
'Best Practices for IoT Security'
There's an interesting new draft, Best Practices for IoT Security: What Does That Even Mean? by Christopher Bellman and Paul C. van Oorschot.
Evidence Based Security
Check out “The Need for Evidence Based Security” by Chris Frenz.
How Are Computers Compromised (2020 Edition)
Understanding the way intrusions really happen is a long-standing interest of mine.
Free Threat Modeling Training
While I can't fix things, I can at least make my LinkedIn courses free for a time.
Amazon's 'Alexa Built-in' Threat Model
Exploring supply chain threat modeling with Alexa
Repudiation Now Live on Linkedin Learning
My course, “Repudiation in Depth” is now live on Linkedin Learning. This is the fourth course in my Learning Threat Modeling series.
Cryptographic Excitement
A couple big stories in the realm of cryptography that got me excited.
Enter the SpudNet
A new game to teach networking and security concepts.
Encryption & Privacy Policy and Technology
A few tidbits in recent news.
Empirical Evaluation of Secure Development Processes
Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success.
Medical Device Security Standards
Recently, I've seen four cybersecurity approaches for medical devices, and we can learn by juxtaposing them.
Interesting reads
Sharing for you, bookmarking for me.
Course announcement: Tampering in Depth!
I'm excited to announce that I'm hitting my STRIDE and Linkedin has released the second course in my in-depth exploration of STRIDE: Tampering.
Interesting Reads, August 19
Just what the title says
Training At Embedded Systems Security Days
I'm excited to be teaming up with Alpha Strike and Limes Security to deliver training in Vienna November 6-8.
Actionable Followups from the Capital One Breach
What have we learned and what steps can we take?
Valuing CyberSecurity Research Datasets
A paper at the Workshop on the Economics of Information Security titled “Valuing CyberSecurity Research Datasets” focuses on the value of the IMPACT data sharing platform at DHS, and how the availability of data shapes research.
Safety and Security in Automated Driving
Let’s explore the risks associated with Automated Driving.
Passwords Advice
Bruse Marshall has put together a useful comparison of password requirements from OWASP ASVS v3 and v4.
DNS Security
I'm happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance.
When security goes off the rails
My newest post over at Dark Reading ponders regulation.
Polymorphic Warnings On My Mind
The more we see it, the more we ignore it.
Cybersecurity is not very important
Some points to consider, from Andrew Odlyzko.
The Queen of the Skies and Innovation
Innovation, regulation, and more.
Incentives and Multifactor Authentication
What if we gamified security?
Structures, Engineering and Security
J.E. Gordon’s Structures, or Why Things Don’t Fall Down is a fascinating and accessible book. Why don’t things fall down? It turns out this is a simple question with some very deep answers.
Measuring ROI for DMARC
I'm pleased to be able to share work that Shostack + Associates and the Cyentia Institute have been doing for the Global Cyber Alliance.
Does PCI Matter?
It's certainly not a silver bullet...
CyberSecurity Hall of Fame
[no description provided]
CSO on AppSec at the Speed of Devops
[no description provided]
Keeping the Internet Secure
[no description provided]
Games and Cards
[no description provided]
Conway's Law and Software Security
[no description provided]
Just Culture and Information Security
[no description provided]
$35M for Covering up A Breach
[no description provided]
Designing for Good Social Systems
[no description provided]
Gartner on DevSecOps Toolchain
[no description provided]
Speculative Execution Threat Model
[no description provided]
Pen Testing The Empire
[no description provided]
Portfolio Thinking: AppSec Radar
[no description provided]
Vulnerabilities Equities Process and Threat Modeling
[no description provided]
Microsoft's PCI Blueprint
[no description provided]
The Fights We Have to Fight: Fixing Bugs
[no description provided]
Emergent Design Issues
[no description provided]
It's Not The Crime, It's The Coverup or the Chaos
[no description provided]
Open for Business
Recently, I was talking to a friend who wasn't aware that I'm consulting, and so I wanted to share a bit about my new life, consulting!
Interesting Monday Reads
Each of these is long and thought-provoking and worth savoring.
“Comparing the Usability of Cryptographic APIs”
[no description provided]
Threat Modeling Password Managers
[no description provided]
Secure updates: A threat model
[no description provided]
Threat Modeling Encrypted Databases
[no description provided]
IoT Security Workshop (Seattle, August)
[no description provided]
The Ultimate Stopping Machine?
[no description provided]
Certificate pinning is great in stone soup
[no description provided]
Well-deserved accolades
[no description provided]
Security Rarely Flows Downhill
[no description provided]
Hospital Ransomware
[no description provided]
Ross Anderson on Edge
[no description provided]
Warrants for Cleaning Malware in Kelihos
[no description provided]
Threat Modeling & IoT
[no description provided]
“...the Elusive Goal of Security as a Scientific Pursuit”
[no description provided]
Cyber Grand Shellphish
[no description provided]
Account Recovery
[no description provided]
Groundrules on Complaining About Security
Everyone complains about security, but no one ever... sets boundaries