Shostack + Friends Blog


Posts in category "software engineering"

A Victorian factory with managers spending time on a complex risk management practice.

The NVD Crisis

The NVD is in crisis, and so is patch management. It’s time to modernize.

a modern paper on a desk. it's a few pages long, and is in 12 point times roman font, double spaced and with lots of complex blue book citations in the text. The content of the text is a disciplinary hearing for a lawyer. The text is wierdly distorted, and the edges show signs of hallucination

Solving Hallucinations

Solving hallucinations in legal briefs is playing on easy mode —— and still too hard

an AI reading a book

Application and AI roundup - May

This month runs quite heavy on AI, but the CISA Safe by Design and Default document is going to be important for the next several years.

An AI generated image with a watermark of dreamtime


Watermarks show us wierd edges of AI work

A set of puzzle pieces

Application Security Roundup - January

So many interesting articles from AI to an organizatoion of socio-technical harms, fascinating incident reports about Uber and Circle CI and some history of attack trees.

Text from GPT3, claiming that terminators cannot take over the world in the same way that real machines or robots could.


The OpenAI chatbot is shockingly improved — its capabilities deserve attention.

Text from GPT3, claiming that terminators cannot take over the world in the same way that real machines or robots could.


Text captured from GPT-3

screenshot from video: breaking into threat modeling

25 Years of Appsec - Appsec Global

Adam is delivering the opening keynote for OWASP Global Appsec 2021 with a 25 year restrospective on the history of appsec and a look into its future.

An exhausted young man

Training discounts!

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have a discount code for upcoming threat modeling training that can help!

An exhausted young man

Training - October

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have upcoming threat modeling training that can help!

screenshot from NIST website referencing Executive Order 14028

Threat Model Thursday: NIST’s Code Verification Standard

Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future.


Ransomware is Not the Problem

Arbitrarily powerful software -- applications, operating systems -- is a problem, as is preventing it from running on enterprise systems.


Pacific Northwest Appsec Conference

AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria.


IoT Security & Threat Modeling

Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling.

microscopic rendering of a COVID-19 spike protein


You may have noticed that my end of the year posts are all science focused. Today, a set of resources on the COVID vaccines.

cover of white paper: The Jenga View of Threat Modeling

The Jenga View of Threat Modeling

I'm happy to announce Shostack + Associate's new, first, corporate white paper! It uses Jenga to explain why threat modeling efforts fail so often.

Survey results.

Sonatype Report on DevSecOps

The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness.

screenshot of opening to quoted article

'Best Practices for IoT Security'

There's an interesting new draft, Best Practices for IoT Security: What Does That Even Mean? by Christopher Bellman and Paul C. van Oorschot.


Code: science and production

Phil Bull presents an interesting, generally convincing, argument in 'Why you can ignore reviews of scientific code by commercial software developers', with a couple of exceptions.


SDL Article in CACM

Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works.



Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) from NIST is open for comment.

Cover of 'Structures' by J. E. Gordon

Structures, Engineering and Security

J.E. Gordon’s Structures, or Why Things Don’t Fall Down is a fascinating and accessible book. Why don’t things fall down? It turns out this is a simple question with some very deep answers.


Open for Business

Recently, I was talking to a friend who wasn't aware that I'm consulting, and so I wanted to share a bit about my new life, consulting!