Shostack + Friends Blog


Introducing Magic Security Dust!

A package of magic security dust

Threat modeling is the measure once, cut twice of cybersecurity. Structured techniques help you understand the danger so you can create a focused defensive security strategy. But they’re expensive and slow!

Over the years, many people have told me that threat modeling really helps — once they get it up and running. But they hate having to collaborate with people. They hate having to trust them.

Once they get over those challenges, they worry about the time threat modeling takes, they worry about challenges in delivering training and measuring execution and consistency. And they ask me do something about these problems.

So we’ve created Magic Security Dust™ to meet the needs of the least discerning producers out there. Just sprinkle some on your products and tell people “Your security is important to us.”

Introducing Magic Security Dust

  • Relief for risk register pain
  • Quick and easy to apply
  • Compatible with legacy technology
  • SBOM Compatible (Cyclone DX 1.0)
  • FedRAMP non-compliant
  • PCI auditors will love you
  • Enhances 510K documentation
  • Used by every winner of the Tony award for security theater!

Available Now

You can buy inferior, knock-off Magic Security Dust™ from lots of places. The only place to get the very finest Magic Security Dust™ is from Agile Stationery.


The people in the video are fictitious. Any resemblance to actual persons (living or deceased), places, buildings, and products, processes or methodologies is coincidental. The opinions expressed are not representative of those of the performers or their employers.

Do not taunt magic security dust, it’s very emotionally immature and may replace all your code with PHP 4 that implements dynamic SQL and stores your passwords in an open S3 bucket.

Magic Security Dust™ does not work and isn’t even trademarked.