Evidence Based Security
Check out “The Need for Evidence Based Security” by Chris Frenz.
Shostack + Friends Blog
One Bad Apple
I generally try to stay on technical topics, because my understanding is that's what readers want. But events are overwhelming and I believe that not speaking out is now a political choice.
SLR as a Webcam
As I built out my home studio to record videos for my distributed classes, I was lucky enough to be able to find an in-stock HDMI capture card, but those are harder and harder to find. As it turns out, you may be able to avoid the need for that with a mix of apps.
Code: science and production
Phil Bull presents an interesting, generally convincing, argument in 'Why you can ignore reviews of scientific code by commercial software developers', with a couple of exceptions.
How Are Computers Compromised (2020 Edition)
Understanding the way intrusions really happen is a long-standing interest of mine.
Models and Accuracy (Threat Modeling Thursday)
For Threat Model Thursday, I want to look at models and modeling in a tremendously high-stakes space: COVID models.
SDL Article in CACM
Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works.
Bounce and Range
I want to talk about two books: Bounce, by Matthew Syed and Range, by David Epstein. I want to talk about them together in part because Range is explicitly framed as a response to Bounce.
Threat Model Thursday: Data Flow Diagrams
This week's threat model Thursday looks at an academic paper, Security Threat Modeling: Are Data Flow Diagrams Enough? by Laurens Sion and colleagues.
Worthwhile Books (Q1 2020)
These are the books I read in the first quarter (and forgot to mention last quarter) that I think are worth your time.
Power Dynamics in Threat Modeling
On Linkedin, Peter Dowdall had a very important response to my post on remote threat modeling.
Answering 'What Are We Working On' When Remote
How do we replace the in-person whiteboard sessions essential to Threat Modeling when we are distanced and working remotely?
Friday Star Wars
Pandemic Safety in Star Wars
Medical Device Threat Modeling
New training being developed, seeking interest.
The COVID Pandemic
I know many readers are here for the threat modeling, and I could claim that this is the “what are we going to do about it” post, which it is, but I don't want to have to blog all threat modeling all the time. So this is the “Seattle is a month into COVID-19” post.