Shostack + Friends Blog

 

Posts in category "security"

 
 
 
 
 
The ad for Synology photos displayed after an emergency security update.

Patching in 2024

In late 2024, people are being offered a choice of features versus security.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
A screen capture of the words ‘Teaching Software Engineers to Threat Model: We Did It, and So Can You‘

RSA 2024

A great threat modeling talk at RSA 2024

 
 

 
An AI image of A person typing at a computer in a text on screen, but the words are changed on the monitor of a different person's screen

Sutter on Safety

What do we need to assess if memory safe langages are 'sufficient'?

 
 
 
 
 
 
A Victorian factory with managers spending time on a complex risk management practice.

The NVD Crisis

The NVD is in crisis, and so is patch management. It’s time to modernize.

 
 
 
a modern paper on a desk. it's a few pages long, and is in 12 point times roman font, double spaced and with lots of complex blue book citations in the text. The content of the text is a disciplinary hearing for a lawyer. The text is wierdly distorted, and the edges show signs of hallucination

Solving Hallucinations

Solving hallucinations in legal briefs is playing on easy mode —— and still too hard

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
an AI reading a book

Application and AI roundup - May

This month runs quite heavy on AI, but the CISA Safe by Design and Default document is going to be important for the next several years.

 
 
 
 
 
 
 
 
 
 
 
A set of puzzle pieces

Application Security Roundup - January

So many interesting articles from AI to an organizatoion of socio-technical harms, fascinating incident reports about Uber and Circle CI and some history of attack trees.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Cover of a workshop report: learning from cyber incidents

Learning Lessons from Aviation

The definition of insanity is doing the same thing over and over and expecting different results. We can do better, and a major new report explains how.

 
 

Ransomware is Not the Problem

Arbitrarily powerful software -- applications, operating systems -- is a problem, as is preventing it from running on enterprise systems.

 
 

Van Buren

The Supreme Court has ruled in the van Buren case, and there's a good summary on the Eff's blog.

 
 
Mandian Darkside May15 2021

Colonial Pipeline, Darkside and Models

The Colonial Pipeline shutdown story is interesting in all sorts of ways, and I can't delve into all of it.I did want to talk about one small aspect, which is the way responders talk about Darkside.

 

Pacific Northwest Appsec Conference

AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria.

 
 
 
 

Podcast on Using Games

It would be trite writing to say it was fun to be on a podcast with Volko Ruhnke and Hadas Cassorla to talk about using games to teach. And while it was, it was really educational and inspirational. I learned from both of them, and I hope you enjoy the podcast as well!

 
 
 
Screenshot of Amicus Brief discussed in article

Amicus Brief on CFAA

I recently signed onto the amicus brief on the Van Buren/Computer Fraud and Abuse Act filed by the Electronic Frontier Foundation.

 
 
 
Survey results.

Sonatype Report on DevSecOps

The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness.

 
screenshot of opening to quoted article

'Best Practices for IoT Security'

There's an interesting new draft, Best Practices for IoT Security: What Does That Even Mean? by Christopher Bellman and Paul C. van Oorschot.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
screenshot of article mentioned in this post

Valuing CyberSecurity Research Datasets

A paper at the Workshop on the Economics of Information Security titled “Valuing CyberSecurity Research Datasets” focuses on the value of the IMPACT data sharing platform at DHS, and how the availability of data shapes research.

 
 

Passwords Advice

Bruse Marshall has put together a useful comparison of password requirements from OWASP ASVS v3 and v4.

 
header: The Economic Value of DNS Security

DNS Security

I'm happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance.

 
 
 
 
 
 
Cover of 'Structures' by J. E. Gordon

Structures, Engineering and Security

J.E. Gordon’s Structures, or Why Things Don’t Fall Down is a fascinating and accessible book. Why don’t things fall down? It turns out this is a simple question with some very deep answers.

 
Whitepaper cover: Measuring the Impact of DMARC's Part in Preventing Business Email Compromise

Measuring ROI for DMARC

I'm pleased to be able to share work that Shostack + Associates and the Cyentia Institute have been doing for the Global Cyber Alliance.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Open for Business

Recently, I was talking to a friend who wasn't aware that I'm consulting, and so I wanted to share a bit about my new life, consulting!