Shostack + Friends Blog

 

Posts in category "software engineering"

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
screenshot from video: breaking into threat modeling

25 Years of Appsec - Appsec Global

Adam is delivering the opening keynote for OWASP Global Appsec 2021 with a 25 year restrospective on the history of appsec and a look into its future.

 
 
An exhausted young man

Training discounts!

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have a discount code for upcoming threat modeling training that can help!

 
An exhausted young man

Training - October

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have upcoming threat modeling training that can help!

 
 
screenshot from NIST website referencing Executive Order 14028

Threat Model Thursday: NIST’s Code Verification Standard

Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future.

 

Ransomware is Not the Problem

Arbitrarily powerful software -- applications, operating systems -- is a problem, as is preventing it from running on enterprise systems.

 

Pacific Northwest Appsec Conference

AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria.

 

IoT Security & Threat Modeling

Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling.

 
 
 
microscopic rendering of a COVID-19 spike protein

Vaccines

You may have noticed that my end of the year posts are all science focused. Today, a set of resources on the COVID vaccines.

 
 
 
cover of white paper: The Jenga View of Threat Modeling

The Jenga View of Threat Modeling

I'm happy to announce Shostack + Associate's new, first, corporate white paper! It uses Jenga to explain why threat modeling efforts fail so often.

 
Survey results.

Sonatype Report on DevSecOps

The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness.

 
screenshot of opening to quoted article

'Best Practices for IoT Security'

There's an interesting new draft, Best Practices for IoT Security: What Does That Even Mean? by Christopher Bellman and Paul C. van Oorschot.

 

Code: science and production

Phil Bull presents an interesting, generally convincing, argument in 'Why you can ignore reviews of scientific code by commercial software developers', with a couple of exceptions.

 

SDL Article in CACM

Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

NIST on SDLs

Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) from NIST is open for comment.

 
 
 
 
Cover of 'Structures' by J. E. Gordon

Structures, Engineering and Security

J.E. Gordon’s Structures, or Why Things Don’t Fall Down is a fascinating and accessible book. Why don’t things fall down? It turns out this is a simple question with some very deep answers.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Open for Business

Recently, I was talking to a friend who wasn't aware that I'm consulting, and so I wanted to share a bit about my new life, consulting!