Shostack + Friends Blog

 

Posts in category "software engineering"

 
An exhausted young man

Training discounts!

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have a discount code for upcoming threat modeling training that can help!

 
An exhausted young man

Training - October

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have upcoming threat modeling training that can help!

 
 
 

Ransomware is Not the Problem

Arbitrarily powerful software -- applications, operating systems -- is a problem, as is preventing it from running on enterprise systems.

 

Pacific Northwest Appsec Conference

"AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria.

 
 
 
 
microscopic rendering of a COVID-19 spike protein

Vaccines

You may have noticed that my end of the year posts are all science focused. Today, a set of resources on the COVID vaccines.

 
 
 
cover of white paper: The Jenga View of Threat Modeling

The Jenga View of Threat Modeling

I'm happy to announce Shostack & Associate's new, first, corporate white paper! It uses Jenga to explain why threat modeling efforts fail so often.

 
Survey results.

Sonatype Report on DevSecOps

The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness.

 
screenshot of opening to quoted article

'Best Practices for IoT Security'

There's an interesting new draft, Best Practices for IoT Security: What Does That Even Mean? by Christopher Bellman and Paul C. van Oorschot.

 

Code: science and production

Phil Bull presents an interesting, generally convincing, argument in 'Why you can ignore reviews of scientific code by commercial software developers', with a couple of exceptions.

 

SDL Article in CACM

Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works.