Shostack + Friends Blog


Posts in category "threat modeling"

A screencapture of the book's cover.

Red Teaming

Red Teaming by Bryce Hoffman is a thought-provoking read.

A set of cards with threats like our deployment artifacts contain secrets that can be extracted


Cumulus is a cloud-oriented version of Elevation of Privilege

The Grimes model of scams

The Grimes Model of Scams

Roger Grimes has an exciting new model of scams that's going to transform how we teach people ot defend against them.


What can go wrong?

The World's Shortest Threat Modeling Video series continues with .. what can go wrong?

An exhausted young man

Training discounts!

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have a discount code for upcoming threat modeling training that can help!

An exhausted young man

Training - October

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have upcoming threat modeling training that can help!

screenshot from NIST website referencing Executive Order 14028

Threat Model Thursday: NIST’s Code Verification Standard

Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future.


IoT Security & Threat Modeling

Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling.

groups of children sitting at tables, coloring, in a classroom setting

Can Training Work Remotely?

I get this question a lot: Can distributed/remote training work as well as in person? Especially for threat modeling, where there's a strong expectation that training involves whiteboards...

group of professionals reviewing threat model diagrams on window-cling whiteboards in a city office

Threat Modeling Classes

Through the pandemic, I’ve rebuilt the way I teach threat modeling. The new structure and the platforms I needed to adapt for my corporate clients also allows me to offer the courses to the public.

headphones, Threat Modeling book, and mug on a desk with a screen snippet overlay of the Denial of Service and Elevation of Privilege course on LinkedIn

Linkedin Learning

Bringing threat modeling to more and more people, now through a series of courses on LinkedIn.

OKR in Threat Modeling

Better OKRs Through Threat Modeling

Effective Threat Modeling by itself can ensure that your OKRs and AppSec Program are not only in great tactical shape, but also help define a strategic roadmap for your AppSec Program.

File folders with the focus on one labeled Assets

The Asset Trap

As we look at what's happened with the Russian attack on the US government and others via Solarwinds, I want to shine a spotlight on a lesson we can apply to threat modeling.


A Threat Modeling Manifesto

A diverse set of experts and advocates for threat modeling are releasing a threat modeling manifesto, modeled after the agile manifesto and focused on values and principles.

adult male teaching young child to fish at the beach

Better Taught Than Caught!

Informal training may work in some cases, but Threat Modeling skills should be passed on through more formal means.


Video Series

Not usually one for the video format, I'm expanding my horizons thanks to 2020 being what it is.

cover of white paper: The Jenga View of Threat Modeling

The Jenga View of Threat Modeling

I'm happy to announce Shostack + Associate's new, first, corporate white paper! It uses Jenga to explain why threat modeling efforts fail so often.


SDL Article in CACM

Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works.


Threat Model Thursday: Games

For reasons I can't quite talk about yet, this has been a super busy time, and I look forward to sharing the exciting developments that have kept me occupied.

small pile of legos in various shapes

Threat Modeling Building Blocks

Threat modeling isn’t one task — its a collection of tasks that build on each other to produce more valuable insights.

testing building blocks of threat modeling

Testing Building Blocks

There are a couple of new, short (4-page), interesting papers from a team at KU Leuven discussin the building blocks of threat modeling.

screencap of Adam in new LinkedIn Learning course

Spoofing In Depth

I'm quite happy to say that my next Linkedin Learning course has launched! This one is all about spoofing.

Cover of my book, Threat Modeling: Designing for Security

55 5 ⭐ Reviews?

Almost 5 years after release, I'm looking for a few more Amazon reviews.

Behind the scenes taping a LinkedIn Learning video

LinkedIn Learning: Producing a Video

My Linkedin Learning course is getting really strong positive feedback. Today, I want to peel back the cover a bit, and talk about how it came to be.


IriusRisk 2.0

I’m excited to be able to share “Announcement: IriusRisk Threat Modeling Platform 2.0 Released.”

Threat Modeling Training video with Adam Shostack

Scaling Threat Modeling Training

For the last few years, I've been delivering in-person threat modeling training. I've trained groups ranging from 2 to 100 people at a time, and I've done classes as short as a few hours and as long as a week.


Open for Business

Recently, I was talking to a friend who wasn't aware that I'm consulting, and so I wanted to share a bit about my new life, consulting!


Modeling Attackers and Their Motives

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. Most readers should, at most, skim their analysis of the perpetrators. Read on for why.