Shostack + Friends Blog

A video interview by OWASP leader Vandana Verma, on the topic of breaking into threat modeling. (01 Nov 2021)

Tremendous training opportunities in threat modeling and other topics at Appsec Global 2021 (20 Oct 2021)

What happened when Microsoft tried to buy climate abatements (05 Oct 2021)

We learn while we're having fun. Some takeaways from a recent play to learn session. (28 Sep 2021)

New at Darkreading, a post on NIST and threat modeling (23 Sep 2021)

Andrew Stewart has an excellent new book, A Vulnerable System. (13 Sep 2021)

The World's Shortest Threat Modeling Video series continues with .. what can go wrong? (10 Sep 2021)

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have a discount code for upcoming threat modeling training that can help! (02 Sep 2021)

Making it easier to check feed updates (24 Aug 2021)

Let me call your attention to a new post by Irene Michlin, “Where Threat Modelling fits in the matrix?” (with a few comments on why it matters). (20 Aug 2021)

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have upcoming threat modeling training that can help! (16 Aug 2021)

Time flies and things change... A look back on the growth of this industry. (09 Aug 2021)

The pandemic gives us a chance to evaluate AI tools...you'll be shocked to discover how they did. (04 Aug 2021)

Many people want their threat modeling work to produce risk numbers, and in this post you'll learn why that's a mistake. (27 Jul 2021)

Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future. (15 Jul 2021)