Shostack + Friends Blog

Why do we call them trust boundaries, anyway? (06 Nov 2024)

Our newest course: Scaling Threat Modeling (22 Oct 2024)

Threat model Thursday, let's dive deep into a detailed approach to using ATT&CK (17 Oct 2024)

Scaling threat modeling can be a challenge! (10 Oct 2024)

Threatmodcon was amazing (03 Oct 2024)

Our biggest sale ever ends today! (30 Sep 2024)

Our biggest sale ever! (11 Sep 2024)

Office hours are one way we strive to deliver a great training experience. (14 Aug 2024)

My talk from ThreatModCon Lisbon 2024 (03 Jul 2024)

How to effectively threat model authentication. (11 Jun 2024)

Authentication is more frustrating to your customers when you don’t threat model. (04 Jun 2024)

The early bird pricing for my Blackhat training expires this Friday (21 May 2024)

How can we think about non-standard symbols in threat modeling diagrams? (16 May 2024)

Adam on Enterprise Security Weekly podcast (27 Apr 2024)

How we leverage a platform for great training (16 Apr 2024)

Adam on Healthcare Info Security podcast (07 Apr 2024)

Exploring LLM-driven coding as I get ready for Archimedes (21 Mar 2024)

We have an awesome new white paper available! (20 Mar 2024)

Submit your papers for ThreatModCon 2024 now! (21 Feb 2024)

Threats is available in Italian! (14 Feb 2024)

Adam on The Security Table podcast (07 Feb 2024)

Thoughts on my instructional journey - and what yours might be (06 Feb 2024)

Red Teaming by Bryce Hoffman is a thought-provoking read. (21 Jan 2024)

A great new resource for threat modeling (12 Jan 2024)

(no description available) (15 Dec 2023)

What can we learn from the C2PA security considerations document? (29 Nov 2023)

September was a big month in appsec for both memory safety and policy (04 Oct 2023)

Seats are available in our October training (14 Sep 2023)

Our feedback to CISA is now public (19 Jul 2023)

Some diagrams to help clarify machine learning threats (13 Apr 2023)

Cumulus is a cloud-oriented version of Elevation of Privilege (06 Apr 2023)

NCC has released a threat model for Google Cloud Platform. What can it teach us? (01 Mar 2023)

The threats book is in the supply chain, inconsistently. (22 Jan 2023)

The live launch party for Threats! (19 Jan 2023)

The serious side of the book (17 Jan 2023)

Like the Force, each threat has a light side, and a dark side. (16 Jan 2023)

Threat Modeling is the software version of measure twice, cut once. (12 Jan 2023)

External changes will be driving appsec in 2023. It’s time to frame the decisions in front of you. (05 Jan 2023)

A new paper on how fast, cheap and good can combine into something we usually discount. (28 Dec 2022)

More thoughts about AI and threat modeling (25 Dec 2022)

Pointer to Adam’s latest Darkreading article (22 Dec 2022)

Threat Modeling for UX Designers with Adam Shostack on Heidi Trost's podcast (14 Dec 2022)

Threats is almost in bookstores (08 Dec 2022)

A Miro template for Elevation of Privilege (10 Nov 2022)

Oh my gosh, the boot camps are back! (01 Nov 2022)

Our next open course is in just a few weeks! (14 Sep 2022)

Our fall course offerings (06 Sep 2022)

So excited to share the cover with you (19 Aug 2022)

Threat modeling doesn't need to be big and complex (09 Jun 2022)

Adam joined Matt Tesauro on the OWASP podcast (31 May 2022)

Roger Grimes has an exciting new model of scams that's going to transform how we teach people ot defend against them. (31 Mar 2022)

You don’t have to be technical, but you can’t make informed decisions about your business without threat modeling. (18 Mar 2022)

Using games to help us explore engineering techniques (15 Mar 2022)

Understanding how to choose the right threat modeling training can give you the education you want for the skills you need. (18 Feb 2022)

Adam on #WeHackPurple podcast (22 Jan 2022)

Holy cow, we’ve added new cards to Elevation of Privilege! (20 Jan 2022)

Open threat modeling training, Q1 2022 (13 Jan 2022)

Threat modeling doesn't need to be a slow, heavyweight activity! (15 Dec 2021)

How to threat model medical devices? The FDA has released a playbook! (30 Nov 2021)

An important webinar by MDIC about the medical device threat modeling playbook is now available! (21 Nov 2021)

A video interview by OWASP leader Vandana Verma, on the topic of breaking into threat modeling. (01 Nov 2021)

Tremendous training opportunities in threat modeling and other topics at Appsec Global 2021 (20 Oct 2021)

What happened when Microsoft tried to buy climate abatements (05 Oct 2021)

We learn while we're having fun. Some takeaways from a recent play to learn session. (28 Sep 2021)

New at Darkreading, a post on NIST and threat modeling (23 Sep 2021)

The World's Shortest Threat Modeling Video series continues with .. what can go wrong? (10 Sep 2021)

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have a discount code for upcoming threat modeling training that can help! (02 Sep 2021)

Let me call your attention to a new post by Irene Michlin, “Where Threat Modelling fits in the matrix?” (with a few comments on why it matters). (20 Aug 2021)

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have upcoming threat modeling training that can help! (16 Aug 2021)

Many people want their threat modeling work to produce risk numbers, and in this post you'll learn why that's a mistake. (27 Jul 2021)

Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future. (15 Jul 2021)

It's the latest in the World's Shortest Threat Modeling videos! (13 Jul 2021)

The latest in the World's Shortest Threat Modeling Videos. (07 Jul 2021)

At Blackhat USA, I'll be teaching Applied Threat Modeling. (28 Jun 2021)

The second video in my 60 second series! (23 Jun 2021)

I'm exploring the concept of very fast threat modeling videos. (17 Jun 2021)

You know what's not in my threat model? A meteor hitting a volcano... And that's ok! (15 Jun 2021)

Threat model Thursday is not just back, but live again! (20 May 2021)

Apple has released ‘Device and Data Access when Personal Safety is At Risk’ and I wanted to explore it a bit. (06 May 2021)

Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling. (22 Apr 2021)

I get this question a lot: Can distributed/remote training work as well as in person? Especially for threat modeling, where there's a strong expectation that training involves whiteboards... (13 Apr 2021)

Developing a training program is hard, especially when it will be delivered remotely. (06 Apr 2021)

Through the pandemic, I’ve rebuilt the way I teach threat modeling. The new structure and the platforms I needed to adapt for my corporate clients also allows me to offer the courses to the public. (30 Mar 2021)

Bringing threat modeling to more and more people, now through a series of courses on LinkedIn. (23 Feb 2021)

Effective Threat Modeling by itself can ensure that your OKRs and AppSec Program are not only in great tactical shape, but also help define a strategic roadmap for your AppSec Program. (15 Feb 2021)

For Data Breach Today, I spoke with Anna Delaney about threat modeling for issues that are in the news right now. (28 Jan 2021)

Dr. Gary McGraw joins the IriusRisk Technical Advisory Board (26 Jan 2021)

As we look at what's happened with the Russian attack on the US government and others via Solarwinds, I want to shine a spotlight on a lesson we can apply to threat modeling. (16 Dec 2020)

So far, so good. (15 Dec 2020)

Going beyond the whiteboard. (23 Nov 2020)

A diverse set of experts and advocates for threat modeling are releasing a threat modeling manifesto, modeled after the agile manifesto and focused on values and principles. (17 Nov 2020)

Expanding on our distributed class structure. (07 Oct 2020)

Compliance isn't Security, oh and something I wrote. (24 Sep 2020)

Don't skip this important step. (17 Sep 2020)

Inspired by the recent story of Tesla's insider, I'd like to discuss insider threat as it fits into threat modeling. (10 Sep 2020)

How to play in person games while maintaining safe distances. (24 Aug 2020)

Informal training may work in some cases, but Threat Modeling skills should be passed on through more formal means. (18 Aug 2020)

I have something to disclose... (14 Aug 2020)

A talk from the Biohacking Village at DefCon brought up a good point. (12 Aug 2020)

Not usually one for the video format, I'm expanding my horizons thanks to 2020 being what it is. (21 Jul 2020)

I enjoyed being a guest on Software Engineering Radio in this in depth interview. (15 Jul 2020)

A recent talk by Alyssa Miller focuses on integrating threat modeling in devops. (02 Jul 2020)

My thoughts on an interesting blog post discussing how to bring threat modeling into the Scaled Agile Framework. (30 Jun 2020)

I'm happy to announce Shostack + Associate's new, first, corporate white paper! It uses Jenga to explain why threat modeling efforts fail so often. (16 Jun 2020)

Contextualisation of Data Flow Diagrams for security analysis is a new paper to which I contributed. (09 Jun 2020)

For Threat Model Thursday, I want to look at models and modeling in a tremendously high-stakes space: COVID models. (14 May 2020)

Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works. (11 May 2020)

This week's threat model Thursday looks at an academic paper, Security Threat Modeling: Are Data Flow Diagrams Enough? by Laurens Sion and colleagues. (23 Apr 2020)

On Linkedin, Peter Dowdall had a very important response to my post on remote threat modeling. (02 Apr 2020)

How do we replace the in-person whiteboard sessions essential to Threat Modeling when we are distanced and working remotely? (30 Mar 2020)

New training being developed, seeking interest. (26 Mar 2020)

This post comes from a conversation I had on Linkedin with Clint Gibler. (19 Mar 2020)

While I can't fix things, I can at least make my LinkedIn courses free for a time. (17 Mar 2020)

Exploring supply chain threat modeling with Alexa (05 Mar 2020)

At Blackhat this summer, I'll be offering threat modeling training at Blackhat. Last year, these sold out quickly, so don't wait! (02 Mar 2020)

Risk Framework and Machine Learning (27 Feb 2020)

My course, “Repudiation in Depth” is now live on Linkedin Learning. This is the fourth course in my Learning Threat Modeling series. (11 Feb 2020)

For reasons I can't quite talk about yet, this has been a super busy time, and I look forward to sharing the exciting developments that have kept me occupied. (06 Feb 2020)

Have you considered the idea that “Files are Fraught With Peril” lately? Maybe you should... (23 Jan 2020)

I joined Caroline Wong on the Humans of Infosec Podcast to discuss The Human Element of Threat Modeling. (09 Jan 2020)

Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success. (07 Dec 2019)

Let's talk CAKED, a threat model for managed attribution. (14 Nov 2019)

Swim lane diagrams have been formalized in message sequence charts - what that means. (06 Nov 2019)

Recently, I've seen four cybersecurity approaches for medical devices, and we can learn by juxtaposing them. (02 Nov 2019)

“Includes No Dirt” is a threat modeling approach by William Dogherty and Patrick Curry of Omada Health, and I've been meaning to write about it since it came out. (31 Oct 2019)

Don't go into Threat Modeling with this mindset. (23 Oct 2019)

Just what the title says. (15 Oct 2019)

Just a few things for now (09 Oct 2019)

I recently had a chance to speak at the meeting for the Portland, Oregon chapter of OWASP (02 Oct 2019)

I'm excited to announce that I'm hitting my STRIDE and Linkedin has released the second course in my in-depth exploration of STRIDE: Tampering. (10 Sep 2019)

Threat modeling isn’t one task — its a collection of tasks that build on each other to produce more valuable insights. (04 Sep 2019)

I'm excited to be teaming up with Alpha Strike and Limes Security to deliver training in Vienna November 6-8. (15 Aug 2019)

Discussing online conflict on the AppSec Podcast (12 Jul 2019)

Let’s explore the risks associated with Automated Driving. (08 Jul 2019)

Some thoughts on promoting others’ threat modeling work. (13 May 2019)

There are a couple of new, short (4-page), interesting papers from a team at KU Leuven discussin the building blocks of threat modeling. (07 May 2019)

Top 3, from Continuum (24 Apr 2019)

Has it been that long already? (01 Apr 2019)

RSA has posted a video of my talk, “Threat Modeling in 2019”. (19 Mar 2019)

My talks from AppSecCali 2019 (13 Mar 2019)

I'm quite happy to say that my next Linkedin Learning course has launched! This one is all about spoofing. (28 Feb 2019)

When suggesting that someone needs more training, consider what specific points should be covered. (24 Feb 2019)

Almost 5 years after release, I'm looking for a few more Amazon reviews. (14 Feb 2019)

What comes easily should still be taught and elaborated upon. (06 Feb 2019)

Reasons for failure in real-world security (31 Jan 2019)

Exploring threat models as code. (23 Jan 2019)

My Linkedin Learning course is getting really strong positive feedback. Today, I want to peel back the cover a bit, and talk about how it came to be. (10 Jan 2019)

I’m excited to be able to share “Announcement: IriusRisk Threat Modeling Platform 2.0 Released.” (10 Jan 2019)

For the last few years, I've been delivering in-person threat modeling training. I've trained groups ranging from 2 to 100 people at a time, and I've done classes as short as a few hours and as long as a week. (02 Jan 2019)

Check out my talk from Blackhat 2018 (15 Nov 2018)

Another podcast, another chance to talk about Threat Modeling (29 Oct 2018)

An extended version of Elevation of Privilege, now with Privacy. (17 Oct 2018)

[no description provided] (14 Sep 2018)

[no description provided] (23 Aug 2018)

The slides from my Blackhat talk are now available. (13 Aug 2018)

[no description provided] (26 Jul 2018)

[no description provided] (05 Jul 2018)

[no description provided] (28 Jun 2018)

Understanding Google's Post-Spectre threat model (14 Jun 2018)

[no description provided] (11 Jun 2018)

[no description provided] (31 May 2018)

[no description provided] (21 May 2018)

[no description provided] (15 May 2018)

[no description provided] (23 Apr 2018)

[no description provided] (19 Apr 2018)

As we head into RSA, I want to hold the technical TM Thursday post, and talk about how we talk to others in our organizations about particular threat models, and how we frame those conversations. (12 Apr 2018)

[no description provided] (10 Apr 2018)

[no description provided] (05 Apr 2018)

[no description provided] (29 Mar 2018)

[no description provided] (27 Mar 2018)

[no description provided] (22 Mar 2018)

[no description provided] (20 Mar 2018)

[no description provided] (15 Mar 2018)

[no description provided] (14 Mar 2018)

[no description provided] (08 Mar 2018)

[no description provided] (22 Feb 2018)

[no description provided] (30 Jan 2018)

[no description provided] (30 Jan 2018)

[no description provided] (23 Jan 2018)

[no description provided] (28 Dec 2017)

[no description provided] (20 Nov 2017)

[no description provided] (05 Nov 2017)

[no description provided] (29 Oct 2017)

[no description provided] (20 Oct 2017)

[no description provided] (18 Sep 2017)

[no description provided] (14 Sep 2017)

Recently, I was talking to a friend who wasn't aware that I'm consulting, and so I wanted to share a bit about my new life, consulting! (07 Sep 2017)

[no description provided] (01 Sep 2017)

[no description provided] (29 Aug 2017)

[no description provided] (08 Aug 2017)

[no description provided] (17 Jul 2017)

[no description provided] (13 Jul 2017)

[no description provided] (Invalid DateTime)

[no description provided] (10 Jul 2017)

[no description provided] (06 Jul 2017)

[no description provided] (22 Jun 2017)

[no description provided] (06 Jun 2017)

[no description provided] (23 May 2017)

[no description provided] (08 May 2017)

[no description provided] (04 May 2017)

[no description provided] (01 May 2017)

[no description provided] (17 Apr 2017)

[no description provided] (03 Mar 2017)

Everyone complains about security, but no one ever... sets boundaries (18 Feb 2017)

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. Most readers should, at most, skim their analysis of the perpetrators. Read on for why. (11 Nov 2014)