Shostack + Friends Blog

Many people want their threat modeling work to produce risk numbers, and in this post you'll learn why that's a mistake. (27 Jul 2021)

Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future. (15 Jul 2021)

It's the latest in the World's Shortest Threat Modeling videos! (13 Jul 2021)

The latest in the World's Shortest Threat Modeling Videos. (07 Jul 2021)

The US Government's lead cybersecurity agencies have released an interesting report, and I wanted to use this for a Threat Model Thursday, where we take a respectful look at threat modeling work products to see what we can learn. (01 Jul 2021)

At Blackhat USA, I'll be teaching Applied Threat Modeling. (28 Jun 2021)

The second video in my 60 second series! (23 Jun 2021)

Thoughts on the new federal holiday, Juneteenth (19 Jun 2021)

I'm exploring the concept of very fast threat modeling videos. (17 Jun 2021)

You know what's not in my threat model? A meteor hitting a volcano... And that's ok! (15 Jun 2021)

Arbitrarily powerful software -- applications, operating systems -- is a problem, as is preventing it from running on enterprise systems. (09 Jun 2021)

A new article by Steve Bellovin and myself at Lawfare. (07 Jun 2021)

The Supreme Court has ruled in the van Buren case, and there's a good summary on the Eff's blog. (04 Jun 2021)

People sometimes ask me about my recording setup, and I wanted to share some thoughts about recording good learning content. (01 Jun 2021)

Adam Shostack's review of the book Practical Cybersecurity Architecture (26 May 2021)