Threat Modeling Whitepapers from Shostack + Associates

 
Cover page of whitepaper titled ‘Inherent Threats’

Inherent Threats

Inherent Threats: Clarifying a property of threats, our latest whitepaper, is now available, showing how some threats being inherent to a system changes how we address “What are we going to do about that threat?”

For example, a money-moving app can be used to move money to the wrong place, at the wrong time, or in the wrong amount. Those are inherent dangers of such an app, and the way we mitigate them is different than an accidental use of files in a shared directory.

 
Cover page of whitepaper titled 'Fast, Cheap, and Good'

Fast, Cheap, and Good

Fast, Cheap and Good: An Unusual Tradeoff Available in Threat Modeling is our third corporate whitepaper. It examines some of the organizational drivers that inform the ways we threat model, including who's doing the work and why. The paper catalogs a set of fast, cheap and good approaches that can help you get started.

 
Cover page of whitepaper titled 'The Jenga View of Threat Modeling'

The Jenga View of Threat Modeling

The Jenga View of Threat Modeling, our first corporate whitepaper, breaks out different types of threat modeling work in a new way. The Jenga view helps you understand the diverse changes that happen to enable threat modeling, and through understanding, helps you accelerate.

 
 

Reasonable Software Security Engineering

A whitepaper written for ISACA. Many businesses today make promises like “we take your security seriously,” or “we are secure by design.” That’s great, if your efforts are centered in engineering, rather than marketing or legal. In this Perspective article, we’ll talk about the growing need for security engineering, including what, why, where, how and when.
Paper (Registration required)
Podcast