Shostack + Friends Blog

What comes easily should still be taught and elaborated upon. (06 Feb 2019)

An unexpected book review. (04 Feb 2019)

It's well known that adoption rates for multi-factor authentication are poor. For example, "Over 90 percent of Gmail users still don’t use two-factor authentication." (01 Feb 2019)

Reasons for failure in real-world security (31 Jan 2019)

Omer Levi Hevroni has a very interesting post exploring ways to represent threat models as code. (23 Jan 2019)

My Linkedin Learning course is getting really strong positive feedback. Today, I want to peel back the cover a bit, and talk about how it came to be. (10 Jan 2019)

I’m excited to be able to share “Announcement: IriusRisk Threat Modeling Platform 2.0 Released.” (10 Jan 2019)

For the last few years, I've been delivering in-person threat modeling training. I've trained groups ranging from 2 to 100 people at a time, and I've done classes as short as a few hours and as long as a week. (02 Jan 2019)

Some recent changes in the weather... (09 Nov 2018)

As we head into RSA, I want to hold the technical TM Thursday post, and talk about how we talk to others in our organizations about particular threat models, and how we frame those conversations. (12 Apr 2018)

Near misses are an important source of information for avoiding accidents, and it's a shame we don't use them in cybersecurity. (06 Feb 2018)

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. Most readers should, at most, skim their analysis of the perpetrators. Read on for why. (11 Nov 2014)