Shostack + Friends Blog

Recent Blog Posts, Page 28

Code: science and production

Phil Bull presents an interesting, generally convincing, argument in 'Why you can ignore reviews of scientific code by commercial software developers', with a couple of exceptions. (26 May 2020)

 

How Are Computers Compromised (2020 Edition)

Understanding the way intrusions really happen is a long-standing interest of mine. (20 May 2020)

 

Models and Accuracy (Threat Modeling Thursday)

For Threat Model Thursday, I want to look at models and modeling in a tremendously high-stakes space: COVID models. (14 May 2020)

 

SDL Article in CACM

Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works. (11 May 2020)

 

Bounce and Range

I want to talk about two books: Bounce, by Matthew Syed and Range, by David Epstein. I want to talk about them together in part because Range is explicitly framed as a response to Bounce. (08 May 2020)

 

Threat Model Thursday: Data Flow Diagrams

This week's threat model Thursday looks at an academic paper, Security Threat Modeling: Are Data Flow Diagrams Enough? by Laurens Sion and colleagues. (23 Apr 2020)

 

Worthwhile Books (Q1 2020)

These are the books I read in the first quarter (and forgot to mention last quarter) that I think are worth your time. (14 Apr 2020)

 

Power Dynamics in Threat Modeling

On Linkedin, Peter Dowdall had a very important response to my post on remote threat modeling. (02 Apr 2020)

 

Answering 'What Are We Working On' When Remote

How do we replace the in-person whiteboard sessions essential to Threat Modeling when we are distanced and working remotely? (30 Mar 2020)

 

Friday Star Wars

Pandemic Safety in Star Wars (27 Mar 2020)

 

Medical Device Threat Modeling

New training being developed, seeking interest. (26 Mar 2020)

 

The COVID Pandemic

I know many readers are here for the threat modeling, and I could claim that this is the “what are we going to do about it” post, which it is, but I don't want to have to blog all threat modeling all the time. So this is the “Seattle is a month into COVID-19” post. (23 Mar 2020)

 

Threat Modeling with Questionnaires

This post comes from a conversation I had on Linkedin with Clint Gibler. (19 Mar 2020)

 

Free Threat Modeling Training

While I can't fix things, I can at least make my LinkedIn courses free for a time. (17 Mar 2020)

 

Amazon's 'Alexa Built-in' Threat Model

Exploring supply chain threat modeling with Alexa (05 Mar 2020)