Shostack + Friends Blog

A few tips on getting the most out of attending a virtual security conference. (31 Jul 2020)

A recent post from Helen L. of the UK’s NCSC, A sociotechnical approach to cyber security, shares the context of socio-technical approaches. (24 Jul 2020)

Not usually one for the video format, I'm expanding my horizons thanks to 2020 being what it is. (21 Jul 2020)

I enjoyed being a guest on Software Engineering Radio in this in depth interview. (15 Jul 2020)

I recently signed onto the amicus brief on the Van Buren/Computer Fraud and Abuse Act filed by the Electronic Frontier Foundation. (13 Jul 2020)

The Internet Society Open Letter Against Lawful Access to Encrypted Data Act was published this morning. (07 Jul 2020)

A recent talk by Alyssa Miller focuses on integrating threat modeling in devops. (02 Jul 2020)

My thoughts on an interesting blog post discussing how to bring threat modeling into the Scaled Agile Framework. (30 Jun 2020)

I'm excited to see that they're Re-introducing the Cyentia Research Library, with cool (new?) features like an RSS feed. There are over 1,000 corporate research reports with data that companies paid to collect, massage, and release in a way they felt would be helpful to the rest of the world. (22 Jun 2020)

Juneteenth is the celebration of the end of slavery in the US. We need more holidays that celebrate freedom. Freedom isn't always comfortable or easy, but it is the precondition to the pursuit of happiness. (19 Jun 2020)

I'm happy to announce Shostack + Associate's new, first, corporate white paper! It uses Jenga to explain why threat modeling efforts fail so often. (16 Jun 2020)

I want to call out some impressive aspects of a report by Proofpoint. (14 Jun 2020)

The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness. (12 Jun 2020)

Contextualisation of Data Flow Diagrams for security analysis is a new paper to which I contributed. (09 Jun 2020)

There's an interesting new draft, Best Practices for IoT Security: What Does That Even Mean? by Christopher Bellman and Paul C. van Oorschot. (08 Jun 2020)