Shostack + Friends Blog

Posts in category “usability”

Learning from Troy Hunt’s Sneaky Phish

(05 Apr 2025)

Hoarding, Debt and Threat Modeling

The psychology of getting started threat modeling (30 Jan 2025)

Patching in 2024

In late 2024, people are being offered a choice of features versus security. (02 Nov 2024)

Phishing Defenses

Phishing behaviors, as observed in the wild. (07 Jun 2023)

Usable Security and Privacy for Engineers

The new IEEE S+P is all about usable security. (09 Feb 2023)

Fast, Cheap and Good, Redux

A new paper on how fast, cheap and good can combine into something we usually discount. (28 Dec 2022)

Authentic Thoughts About What Can Go Wrong

Threat modeling doesn't need to be big and complex (09 Jun 2022)

Fast, Cheap + Good Whitepaper

Threat modeling doesn't need to be a slow, heavyweight activity! (15 Dec 2021)

This is the blog you're looking for

Making it easier to check feed updates (24 Aug 2021)

Threat Model Thursday: Technology Consumers

“It depends on your threat model...” (29 Apr 2021)

Stencils and Sketch Books

Going beyond the whiteboard. (23 Nov 2020)

Elevation of Privilege In The Time of Cholera

How to play in person games while maintaining safe distances. (24 Aug 2020)

Better Taught Than Caught!

Informal training may work in some cases, but Threat Modeling skills should be passed on through more formal means. (18 Aug 2020)

Contextualisation of Data Flow Diagrams...

Contextualisation of Data Flow Diagrams for security analysis is a new paper to which I contributed. (09 Jun 2020)

Answering 'What Are We Working On' When Remote

How do we replace the in-person whiteboard sessions essential to Threat Modeling when we are distanced and working remotely? (30 Mar 2020)

Threat Modeling with Questionnaires

This post comes from a conversation I had on Linkedin with Clint Gibler. (19 Mar 2020)

Passwords Advice

Bruse Marshall has put together a useful comparison of password requirements from OWASP ASVS v3 and v4. (26 Jun 2019)

Polymorphic Warnings On My Mind

The more we see it, the more we ignore it. (29 May 2019)

Promoting Threat Modeling Work

Some thoughts on promoting others’ threat modeling work. (13 May 2019)

The White Box Essays (Book Review)

A resource for those developing games. (10 Apr 2019)

Incentives and Multifactor Authentication

What if we gamified security? (01 Feb 2019)

Pivots and Payloads

A new game from SANS for understanding pen test methodology, tactics, and tools. (17 Dec 2018)

John Harrison's Struggle Continues

[no description provided] (03 Apr 2018)

“The Readability Of Scientific Texts Is Decreasing Over Time”

[no description provided] (20 Sep 2017)

Interesting Monday Reads

Each of these is long and thought-provoking and worth savoring. (14 Aug 2017)

“Comparing the Usability of Cryptographic APIs”

[no description provided] (20 Jul 2017)

How Not to Design an Error Message

[no description provided] (20 Apr 2017)

People are The Weakest Link In Security?

[no description provided] (17 Apr 2017)

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The RSS feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.