Shostack + Friends Blog


IoT Security & Threat Modeling

Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling.

groups of children sitting at tables, coloring, in a classroom setting

Can Training Work Remotely?

I get this question a lot: Can distributed/remote training work as well as in person? Especially for threat modeling, where there's a strong expectation that training involves whiteboards...

a pizza topped with lamb and bitter greens

Passover Pie

For Passover, we made a lamb and bitter greens pizza. Now, you may be saying to yourself that that’s wrong, but allow me to explain.

group of professionals reviewing threat model diagrams on window-cling whiteboards in a city office

Threat Modeling Classes

Through the pandemic, I’ve rebuilt the way I teach threat modeling. The new structure and the platforms I needed to adapt for my corporate clients also allows me to offer the courses to the public.


Microsoft Autoupdate hangs Excel 16.47.21032301

Microsoft AutoUpdate for Mac has gotten exceptionally aggressive about running. Even if you use launchctl to disable it, you get a pop up roughly every 15 minutes of using an Office program.

Excavator digging out sand around the box of the Ever Given in the Suez Canal, March 2021

Ever Given & Suez

Thoughts on the issues with the Ever Given blocking the Suez Canal.

headphones, Threat Modeling book, and mug on a desk with a screen snippet overlay of the Denial of Service and Elevation of Privilege course on LinkedIn

Linkedin Learning

Bringing threat modeling to more and more people, now through a series of courses on LinkedIn.

Snack Box

My Year Without Flying

It was just over a year ago that I last walked out of the Seattle airport. Some thoughts from a very frequent flyer on the pandemic so far.

OKR in Threat Modeling

Better OKRs Through Threat Modeling

Effective Threat Modeling by itself can ensure that your OKRs and AppSec Program are not only in great tactical shape, but also help define a strategic roadmap for your AppSec Program.