Shostack + Friends Blog

adult male teaching young child to fish at the beach

Better Taught Than Caught!

Informal training may work in some cases, but Threat Modeling skills should be passed on through more formal means. (18 Aug 2020)

torn brown paper revealing the word SECRET

Information Disclosure In Depth

I have something to disclose... (14 Aug 2020)

MDIC Panel - Cybersecurity: Strides Toward Maturity Benchmarking for the MedTech Sector; Thursday, Aug 13, 2020, 11am Pacific/2pm Eastern

MDIC Annual Public Forum

I'll be speaking at the MDIC's Annual Public Forum today, discussing how threat modeling helps bring maturity to the medtech sector. (13 Aug 2020)

screenshot from virtual talk discussed in the article

When to Threat Model

A talk from the Biohacking Village at DefCon brought up a good point. (12 Aug 2020)

Maximizing the Value of Virtual Security Conferences

A few tips on getting the most out of attending a virtual security conference. (31 Jul 2020)

drawing showing various connects among people and products

Sociotechnical Approach to Cyber Security

A recent post from Helen L. of the UK’s NCSC, A sociotechnical approach to cyber security, shares the context of socio-technical approaches. (24 Jul 2020)

Video Series

Not usually one for the video format, I'm expanding my horizons thanks to 2020 being what it is. (21 Jul 2020)

Software Engineering Radio

I enjoyed being a guest on Software Engineering Radio in this in depth interview. (15 Jul 2020)

Screenshot of Amicus Brief discussed in article

Amicus Brief on CFAA

I recently signed onto the amicus brief on the Van Buren/Computer Fraud and Abuse Act filed by the Electronic Frontier Foundation. (13 Jul 2020)

Internet Society Opposition to LAED Act

The Internet Society Open Letter Against Lawful Access to Encrypted Data Act was published this morning. (07 Jul 2020)

Threat Model In My Devops

A recent talk by Alyssa Miller focuses on integrating threat modeling in devops. (02 Jul 2020)

Threat Modeling and the SAFE Framework

My thoughts on an interesting blog post discussing how to bring threat modeling into the Scaled Agile Framework. (30 Jun 2020)

Information Risk Insights Study 20/20 plot

The Cyentia Library Relaunches

I'm excited to see that they're Re-introducing the Cyentia Research Library, with cool (new?) features like an RSS feed. There are over 1,000 corporate research reports with data that companies paid to collect, massage, and release in a way they felt would be helpful to the rest of the world. (22 Jun 2020)

Happy Juneteenth!

Juneteenth is the celebration of the end of slavery in the US. We need more holidays that celebrate freedom. Freedom isn't always comfortable or easy, but it is the precondition to the pursuit of happiness. (19 Jun 2020)

The Jenga View of Threat Modeling

I'm happy to announce Shostack + Associate's new, first, corporate white paper! It uses Jenga to explain why threat modeling efforts fail so often. (16 Jun 2020)