What are we going to do: CO2 edition
What happened when Microsoft tried to buy climate abatements
What happened when Microsoft tried to buy climate abatements
We learn while we're having fun. Some takeaways from a recent play to learn session.
New at Darkreading, a post on NIST and threat modeling
The World's Shortest Threat Modeling Video series continues with .. what can go wrong?
Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have a discount code for upcoming threat modeling training that can help!
Let me call your attention to a new post by Irene Michlin, "Where Threat Modelling fits in the matrix?" (with a few comments on why it matters).
Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have upcoming threat modeling training that can help!
Many people want their threat modeling work to produce risk numbers, and in this post you'll learn why that's a mistake.
Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future.
It's the latest in the World's Shortest Threat Modeling videos!
The latest in the World's Shortest Threat Modeling Videos.
At Blackhat USA, I'll be teaching Applied Threat Modeling.
The second video in my 60 second series!
I'm exploring the concept of very fast threat modeling videos, and have posted the first one.
You know what's not in my threat model? A meteor hitting a volcano... And that's ok!
Threat model Thursday is not just back, but live again!
Apple has released (or I've just come across) a document Device and Data Access when Personal Safety is At Risk.
There's a new report out from the UK Government, The UK Code of Practice for Consumer IoT Security.
I get this question a lot: Can distributed/remote training work as well as in person? Especially for threat modeling, where there's a strong expectation that training involves whiteboards...
Developing a training program is hard, especially when it will be delivered remotely.
Through the pandemic, I’ve rebuilt the way I teach threat modeling. The new structure and the platforms I needed to adapt for my corporate clients also allows me to offer the courses to the public.
Bringing threat modeling to more and more people, now through a series of courses on LinkedIn.
Effective Threat Modeling by itself can ensure that your OKRs and AppSec Program are not only in great tactical shape, but also help define a strategic roadmap for your AppSec Program.
For Data Breach Today, I spoke with Anna Delaney about threat modeling for issues that are in the news right now.
I'm very excited that Gary McGraw is joining the Irius Risk Technical Advisory Board as board chair. Gary's a pioneer in software security, and his work in machine learning was my choice to kick off blogging 2020.
As we look at what's happened with the Russian attack on the US government and others via Solarwinds, I want to shine a spotlight on a lesson we can apply to threat modeling.
So far, so good.
Going beyond the whiteboard.
A diverse set of experts and advocates for threat modeling are releasing a threat modeling manifesto, modeled after the agile manifesto and focused on values and principles.
Expanding on our distributed class structure.
Compliance isn't Security, oh and something I wrote.
Don't skip this important step.
Inspired by the recent story of Tesla's insider, I'd like to discuss insider threat as it fits into threat modeling.
How to play in person games while maintaining safe distances.
Informal training may work in some cases, but Threat Modeling skills should be passed on through more formal means.
I have something to disclose...
A talk from the Biohacking Village at DefCon brought up a good point.
It will come as no surprise to regular readers of this blog that I prefer the written word to audio and video, but 2020 being 2020, I now have a YouTube Channel, with the first video below:
I enjoyed being a guest on Software Engineering Radio: Adam Shostack on Threat Modeling. It's a substantial, in depth interview, running nearly 80 minutes, and covering a wide variety of topics.
A recent talk by Alyssa Miller focuses on integrating threat modeling in devops.
My thoughts on an interesting blog post discussing how to bring threat modeling into the Scaled Agile Framework.
I'm happy to announce Shostack & Associate's new, first, corporate white paper! It uses Jenga to explain why threat modeling efforts fail so often.
Contextualisation of Data Flow Diagrams for security analysis is a new paper to which I contributed.
For Threat Model Thursday, I want to look at models and modeling in a tremendously high-stakes space: COVID models.
Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works.
This week's threat model Thursday looks at an academic paper, Security Threat Modeling: Are Data Flow Diagrams Enough? by Laurens Sion and colleagues.
On Linkedin, Peter Dowdall had a very important response to my post on remote threat modeling.
How do we replace the in-person whiteboard sessions essential to Threat Modeling when we are distanced and working remotely?
New training being developed, seeking interest.
This post comes from a conversation I had on Linkedin with Clint Gibler.
While I can't fix things, I can at least make my LinkedIn courses free for a time.
Exploring supply chain threat modeling with Alexa
At Blackhat this summer, I'll be offering threat modeling training at Blackhat. Last year, these sold out quickly, so don't wait!
Risk Framework and Machine Learning
My course, 'Repudiation in Depth' is now live on Linkedin Learning. This is the fourth course in my Learning Threat Modeling series.
For reasons I can't quite talk about yet, this has been a super busy time, and I look forward to sharing the exciting developments that have kept me occupied.
There's a fascinating talk by Dan Luu, "Files are Fraught With Peril." The talk itself is fascinating, in a horrifying, nothing works, we're going to give up and raise goats now sort of way.
Today's Threat Modeling Thursday is a podcast! I'm on The Humans of InfoSec Podcast, with Caroline Wong: The Human Element of Threat Modeling.
Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success.
Let's talk CAKED, a threat model for managed attribution.
Swim lane diagrams have been formalized in message sequence charts - what that means.
Recently, I've seen four cybersecurity approaches for medical devices, and we can learn by juxtaposing them.
'Includes No Dirt' is a threat modeling approach by William Dogherty and Patrick Curry of Omada Health, and I've been meaning to write about it since it came out.
Don't go into Threat Modeling with this mindset.
Just what the title says.
Just a few things for now
I recently had a chance to speak at the meeting for the Portland, Oregon chapter of OWASP
I'm excited to announce that I'm hitting my STRIDE and Linkedin has released the second course in my in-depth exploration of STRIDE: Tampering.
Threat modeling isn’t one task — its a collection of tasks that build on each other to produce more valuable insights.
I'm excited to be teaming up with Alpha Strike and Limes Security to deliver training in Vienna November 6-8. Details are available at Embedded Systems Security Days.
Discussing online conflict on the AppSec Podcast
Let's explore the risks associated with Automated Driving.
Some thoughts on promoting others' threat modeling work.
There are a couple of new, short (4-page), interesting papers from a team at KU Leuven including:
Top 3, from Continuum
Has it been that long already?
RSA has posted a video of my talk, “Threat Modeling in 2019”
My talks from AppSecCali 2019
I'm quite happy to say that my next Linkedin Learning course has launched! This one is all about spoofing.
When suggesting that someone needs more training, consider what specific points should be covered.
Almost 5 years after release, I'm looking for a few more Amazon reviews.
What comes easily should still be taught and elaborated upon.
Reasons for failure in real-world security
Omer Levi Hevroni has a very interesting post exploring ways to represent threat models as code.
My Linkedin Learning course is getting really strong positive feedback. Today, I want to peel back the cover a bit, and talk about how it came to be.
I’m excited to be able to share “Announcement: IriusRisk Threat Modeling Platform 2.0 Released.”
For the last few years, I've been delivering in-person threat modeling training. I've trained groups ranging from 2 to 100 people at a time, and I've done classes as short as a few hours and as long as a week.
As we head into RSA, I want to hold the technical TM Thursday post, and talk about how we talk to others in our organizations about particular threat models, and how we frame those conversations.
There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. Most readers should, at most, skim their analysis of the perpetrators. Read on for why.