Shostack + Friends Blog

Posts in category "software engineering"

a photograph of a robot, sitting in a library, working on a jigsaw puzzle

Appsec Roundup - Dec 2024

A virtual feast of appsec! (31 Dec 2024)

Appsec Roundup - Nov 2024

A virtual feast of appsec! (05 Dec 2024)

The ad for Synology photos displayed after an emergency security update.

Patching in 2024

In late 2024, people are being offered a choice of features versus security. (02 Nov 2024)

Appsec Roundup - Oct 2024

If you say liability three times, it appears! (30 Oct 2024)

OWASP Board 2024

Time to vote for OWASP leadership (15 Oct 2024)

Appsec Roundup - September 2024

If you say threat modeling three times, it appears! (25 Sep 2024)

Secure Boot and Liability

Secure boot presents questions that should inform the liability conversation (17 Sep 2024)

Appsec Roundup - August 2024

The most important stories around threat modeling, appsec and secure by design for August, 2024. (02 Sep 2024)

Secure Boot and Secure by Design

The failure to secure boot keys should be a bigger deal. (22 Aug 2024)

Appsec Roundup - July 2024

The most important stories around threat modeling, appsec and secure by design for June, 2024. (02 Aug 2024)

Appsec Roundup - June 2024

The most important stories around threat modeling, appsec and secure by design for June, 2024. (10 Jul 2024)

Scale to Zero

Adam on the Scale to Zero podcast (12 Jun 2024)

William Anders

Commemorating William Anders (08 Jun 2024)

Security Engineering roundup - May 2024

The most important stories around threat modeling, appsec and secure by design for May, 2024. (30 May 2024)

a cow is riding on the back of a horse. The cow is dressed as a cowboy with a hat and a lasso, and she is rounding up robots. there are lots of robots scuttling around

Secure by Design roundup - April 2024

A less busy month in appsec, AI, and regulation, but still interesting stories (08 May 2024)

Characters from Harry Potter pointing their wands at C3-P0

Eternal sunshine of the spotless LLM

Making an LLM forget is harder than it seems (21 Apr 2024)

Secure by Design roundup - March 2024

A busy month in appsec, AI, and regulation. (29 Mar 2024)

A Victorian factory with managers spending time on a complex risk management practice.

The NVD Crisis

The NVD is in crisis, and so is patch management. It’s time to modernize. (25 Mar 2024)

Application and AI roundup - Feb 2024

A busy month in appsec, AI, and regulation. (05 Mar 2024)

a modern paper on a desk. it's a few pages long, and is in 12 point times roman font, double spaced and with lots of complex blue book citations in the text. The content of the text is a disciplinary hearing for a lawyer. The text is wierdly distorted, and the edges show signs of hallucination

Solving Hallucinations

Solving hallucinations in legal briefs is playing on easy mode —— and still too hard (23 Feb 2024)

Application and AI roundup - Jan 2024

A busy month+ in appsec, AI, and regulation. (29 Jan 2024)

CSRB Senate Hearing

Comments following the Senate’s CSRB hearing (19 Jan 2024)

Threat Modeling Capabilities Released

A great new resource for threat modeling (12 Jan 2024)

The State of Appsec in 2024

2024 is bringing lots of AI, and Liability, too (02 Jan 2024)

Application and AI roundup - November

A threat modeling conference, lots of government appsec guidance, and some updates from Shostack + Associates (30 Nov 2023)

A diagram showing a camera, storage, photoshop and validation. The camera and photoshop are in boundaries

C2PA Threat Modeling

What can we learn from the C2PA security considerations document? (29 Nov 2023)

Threat Modeling Thursday: Thanksgiving

What can we learn from Gunnar Peterson’s Threat Model for Thanksgiving? (23 Nov 2023)

Application and AI roundup - October

Exciting news from the SEC, lots of AI, and lots of threat modeling. (09 Nov 2023)

Image by Midjourney, “stone tablets displayed on tall pedastals under spotlight in a museum, professor giving a lecture. The room is brightly lit with sunlight streaming in.”

Security Principles in 2023

Principles are lovely, but do they lead us to actionable results? (27 Oct 2023)

Application and AI roundup - September

September was a big month in appsec for both memory safety and policy (04 Oct 2023)

The title of the FDA's new guidance, 'Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions'

FDA Final Cyber Guidance is out

The FDA has released their new guidance, which will be broadly impactful. (26 Sep 2023)

An AI generated image of a bright watercolor of storm clouds passing over a corporate campus, filled with low square concrete buildings. All are surrounded by well manicured lawns. In the background is the iconic arecebo radio telescope

Comparing Retrospectives

We can learn a lot from comparing retrospectives (19 Sep 2023)

Application and AI roundup - August

Lots of interesting work in LLMs (again) (30 Aug 2023)

Microsoft Can Fix Ransomware Tomorrow

My latest at Dark Reading draws attention to how Microsoft can fix ransomware tomorrow. (05 Jul 2023)

AI will be the high interest credit card of 2023

(16 Jun 2023)

A movie still of Sarah Connor from Terminator 2, saying ‘The Future is not set, there is no fate but what we make’

AppSecPNW 2023

Adam's AppSecPNW 2023 keynote (12 Jun 2023)

Phishing Defenses

Phishing behaviors, as observed in the wild. (07 Jun 2023)

Application and AI roundup - May

This month runs quite heavy on AI, but the CISA Safe by Design and Default document is going to be important for the next several years. (30 May 2023)

A small council meets to review an incident in a well lit room in Rivendell

The Cyber Safety Review Board Should Investigate Major Historical Incidents

Tarah Wheeler and Adam write in CFR (25 May 2023)

Layoffs in Responsible AI Teams

Some inferences from layoffs in responsible AI teams (21 Apr 2023)

People holding the threats book and smiling

Threats Book News and Updates for April

Book signings at RSA, big discounts and more! (19 Apr 2023)

Reflecting on Threats: The Frame

Reflecting on the framing of the Threats book (10 Apr 2023)

Application Security Roundup - March

A few tools, some thoughts on injection, some standards, and some of Adam’s appsec news. (05 Apr 2023)

A screencapture from Star Wars, the first time we hear Darth Vader speak

My David Prouse Moment

Searching my feelings as the audiobook of Threats is released. (17 Mar 2023)

Application Security Roundup - Feb

This month is all about memory safety, unless you’re a standards group. (27 Feb 2023)

The cover of the Jan 2023 IEEE Security magazine

Usable Security and Privacy for Engineers

The new IEEE S+P is all about usable security. (09 Feb 2023)

An AI generated image with a watermark of dreamtime

Watermarks

Watermarks show us wierd edges of AI work (03 Feb 2023)

Application Security Roundup - January

So many interesting articles from AI to an organizatoion of socio-technical harms, fascinating incident reports about Uber and Circle CI and some history of attack trees. (30 Jan 2023)

The Hacker Mind

Adam spoke with Robert Vamosi of The Hacker Mind podcast (27 Jan 2023)

Not all developers can be Jedi

Adam joined Paul Roberts on the Conversing Labs podcast (23 Jan 2023)

An amazon screencapture showing threats as the #1 new release in Computer Network Security, and delivering overnight

Threats, To The Supply Chain

The threats book is in the supply chain, inconsistently. (22 Jan 2023)

Adam playing with a T-16 in the book's launch poster

Threats Book Launch Party

The live launch party for Threats! (19 Jan 2023)

A stack of copies of threats: what every engineer should learn from star wars

Threats Book is Complete

The serious side of the book (17 Jan 2023)

Threat Modeling is Measure Twice, Cut Once

Threat Modeling is the software version of measure twice, cut once. (12 Jan 2023)

a fuzzy landscape with people reading a map

The Appsec Landscape in 2023

External changes will be driving appsec in 2023. It’s time to frame the decisions in front of you. (05 Jan 2023)

Threat Model Thursday: curl

Looking at a threat model for curl, the command line web client. (29 Dec 2022)

Fast, Cheap and Good, Redux

A new paper on how fast, cheap and good can combine into something we usually discount. (28 Dec 2022)

A podcast user interface, showing a 40 minute episode, Threat Modeling for UX Designers with Adam Shostack

Human-Centered Security

Threat Modeling for UX Designers with Adam Shostack on Heidi Trost's podcast (14 Dec 2022)

GPT-3

The OpenAI chatbot is shockingly improved — its capabilities deserve attention. (09 Dec 2022)

The Threats book is complete

Threats is almost in bookstores (08 Dec 2022)

Application Security Roundup - October and Nov

Interesting reads this month include signals from the administration, a history of appsec by one of the originals, and a longread from Apple about kernel memory design. (30 Nov 2022)

Application Security Roundup - September

Interesting appsec posts: machine learning, performance, and C4 (30 Sep 2022)

Threat Modeling for Security Champs

Our next open course is in just a few weeks! (14 Sep 2022)

a person learning in a distributed course

Threat Modeling Training Announcements Fall, 2022

Our fall course offerings (06 Sep 2022)

Threats — The Cover

So excited to share the cover with you (19 Aug 2022)

Podcast: A Fully Trained Jedi

A fun podcast with the ITSP team. (02 Aug 2022)

Application Security Roundup - July

Interesting appsec posts: machine learning, performance, and C4 (30 Jul 2022)

Major Cyber Incidents Investigations

I'm thrilled this how to guide for standing up new investigations is available. (19 Jul 2022)

The cover from the CSRBs inaugural report.

Congratulations to the CSRB!

I'm thrilled the first CSRB report is available. (14 Jul 2022)

Application Security Roundup - June

Interesting appsec posts: from medical devices to bridges. (28 Jun 2022)

Application Security Roundup - May

A collection of interesting appsec posts. (12 May 2022)

Document title: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff

FDA Draft Premarket Guidance

The FDA has issued draft guidance for pre-market security (08 Apr 2022)

A whitepaper cover page, with the title fast, cheap and good: an unusual tradeoff available in threat modeling

Fast, Cheap + Good Whitepaper

Threat modeling doesn't need to be a slow, heavyweight activity! (15 Dec 2021)

screenshot from video: threat modeling webinar

Medical Device Threat Modeling Webinar

An important webinar by MDIC about the medical device threat modeling playbook is now available! (21 Nov 2021)

screenshot from video: breaking into threat modeling

25 Years of Appsec - Appsec Global

Adam is delivering the opening keynote for OWASP Global Appsec 2021 with a 25 year restrospective on the history of appsec and a look into its future. (11 Nov 2021)

NIST Brings Threat Modeling into the Spotlight

New at Darkreading, a post on NIST and threat modeling (23 Sep 2021)

Training discounts!

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have a discount code for upcoming threat modeling training that can help! (02 Sep 2021)

Training - October

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have upcoming threat modeling training that can help! (16 Aug 2021)

multiple individuals using laptops on a shared desk

25 Years in AppSec: Looking Back

Time flies and things change... A look back on the growth of this industry. (09 Aug 2021)

screenshot from NIST website referencing Executive Order 14028

Threat Model Thursday: NIST’s Code Verification Standard

Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future. (15 Jul 2021)

Ransomware is Not the Problem

Arbitrarily powerful software -- applications, operating systems -- is a problem, as is preventing it from running on enterprise systems. (09 Jun 2021)

Pacific Northwest Appsec Conference

AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria. (14 May 2021)

IoT Security & Threat Modeling

Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling. (22 Apr 2021)

Mmmm, Pandemic Puppies

(24 Mar 2021)

Irius Risk & Gary McGraw

Dr. Gary McGraw joins the IriusRisk Technical Advisory Board (26 Jan 2021)

microscopic rendering of a COVID-19 spike protein

Vaccines

You may have noticed that my end of the year posts are all science focused. Today, a set of resources on the COVID vaccines. (28 Dec 2020)

Breaking Encryption Myths (EU Commission on Encryption)

Speaking up (22 Nov 2020)

Training: Threat Modeling for Security Champions

Expanding on our distributed class structure. (07 Oct 2020)

The Jenga View of Threat Modeling

I'm happy to announce Shostack + Associate's new, first, corporate white paper! It uses Jenga to explain why threat modeling efforts fail so often. (16 Jun 2020)

Sonatype Report on DevSecOps

The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness. (12 Jun 2020)

'Best Practices for IoT Security'

There's an interesting new draft, Best Practices for IoT Security: What Does That Even Mean? by Christopher Bellman and Paul C. van Oorschot. (08 Jun 2020)

Code: science and production

Phil Bull presents an interesting, generally convincing, argument in 'Why you can ignore reviews of scientific code by commercial software developers', with a couple of exceptions. (26 May 2020)

SDL Article in CACM

Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works. (11 May 2020)

Answering 'What Are We Working On' When Remote

How do we replace the in-person whiteboard sessions essential to Threat Modeling when we are distanced and working remotely? (30 Mar 2020)

Wide view of in-person threat modeling training with Adam Shostack at the whiteboards

Medical Device Threat Modeling

New training being developed, seeking interest. (26 Mar 2020)

amazon alexa units wearing dark glasses and black fedoras

Amazon's 'Alexa Built-in' Threat Model

Exploring supply chain threat modeling with Alexa (05 Mar 2020)

Threat Modeling Training at Blackhat 2020

At Blackhat this summer, I'll be offering threat modeling training at Blackhat. Last year, these sold out quickly, so don't wait! (02 Mar 2020)

Threat Model Thursday: BIML Machine Learning Risk Framework

Risk Framework and Machine Learning (27 Feb 2020)

Repudiation Now Live on Linkedin Learning

My course, “Repudiation in Depth” is now live on Linkedin Learning. This is the fourth course in my Learning Threat Modeling series. (11 Feb 2020)

graphic of magnifying glass in front of 3 filled and expanded file folders

Threat Model Thursday: Files

Have you considered the idea that “Files are Fraught With Peril” lately? Maybe you should... (23 Jan 2020)

Threat Modeling Thursday: Machine Learning

For my first blog post of 2020, I want to look at threat modeling machine learning systems. (02 Jan 2020)

screenshot of first page of paper cited in the post

Empirical Evaluation of Secure Development Processes

Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success. (07 Dec 2019)

close view of brightly-colored frosted cupcakes

Managed Attribution Threat Modeling

Let's talk CAKED, a threat model for managed attribution. (14 Nov 2019)

Medical Device Security Standards

Recently, I've seen four cybersecurity approaches for medical devices, and we can learn by juxtaposing them. (02 Nov 2019)

Includes No Dirt: Healthcare Threat Modeling (Thursday)

“Includes No Dirt” is a threat modeling approach by William Dogherty and Patrick Curry of Omada Health, and I've been meaning to write about it since it came out. (31 Oct 2019)

Interesting Reads: Risk, Automation, lessons and more!

Just what the title says. (15 Oct 2019)

Course announcement: Tampering in Depth!

I'm excited to announce that I'm hitting my STRIDE and Linkedin has released the second course in my in-depth exploration of STRIDE: Tampering. (10 Sep 2019)

banner for embedded systems security days, Nov 6-8, 2019

Training At Embedded Systems Security Days

I'm excited to be teaming up with Alpha Strike and Limes Security to deliver training in Vienna November 6-8. (15 Aug 2019)

Actionable Followups from the Capital One Breach

What have we learned and what steps can we take? (30 Jul 2019)

NIST on SDLs

Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) from NIST is open for comment. (11 Jul 2019)

Safety and Security in Automated Driving

Let’s explore the risks associated with Automated Driving. (08 Jul 2019)

The Road to Mediocrity

The road to mediocre writing is paved with over-simplification and distraction. (05 Jul 2019)

Threat Modeling as Code

Exploring threat models as code. (23 Jan 2019)

Structures, Engineering and Security

J.E. Gordon’s Structures, or Why Things Don’t Fall Down is a fascinating and accessible book. Why don’t things fall down? It turns out this is a simple question with some very deep answers. (07 Dec 2018)

CyberSecurity Hall of Fame

[no description provided] (06 Aug 2018)

CSO on AppSec at the Speed of Devops

[no description provided] (06 Aug 2018)

Games and Cards

[no description provided] (16 Jul 2018)

Conway's Law and Software Security

[no description provided] (06 Jun 2018)

The DREAD Pirates

[no description provided] (31 May 2018)

NTSB on Uber (Preliminary)

[no description provided] (25 May 2018)

multiple individuals collaborating over a laptop and paperwork

Threat Model Thursday: Talking, Dialogue and Review

As we head into RSA, I want to hold the technical TM Thursday post, and talk about how we talk to others in our organizations about particular threat models, and how we frame those conversations. (12 Apr 2018)