Shostack + Friends Blog

In late 2024, people are being offered a choice of features versus security. (02 Nov 2024)

Phishing behaviors, as observed in the wild. (07 Jun 2023)

The new IEEE S+P is all about usable security. (09 Feb 2023)

A new paper on how fast, cheap and good can combine into something we usually discount. (28 Dec 2022)

Usable security matters (21 Dec 2022)

Threat modeling doesn't need to be big and complex (09 Jun 2022)

Threat modeling doesn't need to be a slow, heavyweight activity! (15 Dec 2021)

Making it easier to check feed updates (24 Aug 2021)

“It depends on your threat model...” (29 Apr 2021)

Going beyond the whiteboard. (23 Nov 2020)

How to play in person games while maintaining safe distances. (24 Aug 2020)

Informal training may work in some cases, but Threat Modeling skills should be passed on through more formal means. (18 Aug 2020)

Contextualisation of Data Flow Diagrams for security analysis is a new paper to which I contributed. (09 Jun 2020)

How do we replace the in-person whiteboard sessions essential to Threat Modeling when we are distanced and working remotely? (30 Mar 2020)

This post comes from a conversation I had on Linkedin with Clint Gibler. (19 Mar 2020)

Bruse Marshall has put together a useful comparison of password requirements from OWASP ASVS v3 and v4. (26 Jun 2019)

The more we see it, the more we ignore it. (29 May 2019)

Some thoughts on promoting others’ threat modeling work. (13 May 2019)

A resource for those developing games. (10 Apr 2019)

What if we gamified security? (01 Feb 2019)

A new game from SANS for understanding pen test methodology, tactics, and tools. (17 Dec 2018)

[no description provided] (03 Apr 2018)

[no description provided] (19 Feb 2018)

[no description provided] (20 Sep 2017)

Each of these is long and thought-provoking and worth savoring. (14 Aug 2017)

[no description provided] (20 Jul 2017)

[no description provided] (20 Apr 2017)

[no description provided] (17 Apr 2017)