Shostack + Friends Blog

Recent Blog Posts

Adam Featured on the AppSec Weekly Podcast

Learn more about threat modeling and the Four Question Framework (04 Feb 2026)

 

Secure By Design roundup - Dec/Jan 2026

The normalization of deviance, exciting threat modeling news, and a question of do regulatory threats change ‘the threat model’ as much as GPS attacks? Not yet. (30 Jan 2026)

 

Threat Modeling in the Age of AI

Adam will be the featured speaker at the ISC2 Seattle Chapter meeting in February. (29 Jan 2026)

 

NIST 800-218 revision

NIST 800-218 wants you! (27 Jan 2026)

 

Bitlocker, the FBI, and Risk

What can the Bitlocker story tell us about risk? (23 Jan 2026)

 

Security Advisory SA-26-01 GPS Attacks

GPS attacks trigger revisiting threat models (22 Jan 2026)

 

Take Control of What you Read, Redux

In 2026, it’s more important than ever to take control of what you read (11 Jan 2026)

 

Congratulations to ThreatModeler and IriusRisk!

Congratulations to all involved! (07 Jan 2026)

 

A few thoughts closing out 2025

Prompted by participants, a few closing thoughts for 2025 (31 Dec 2025)

 

Gavle Goat Survived 2025 - or did it?

Important news about current events (26 Dec 2025)

 

The Best Holiday Decorations

The best decorations ever (18 Dec 2025)

 

OWASP Keynote Available for Viewing!

Watch Adam's keynote 'Stop Trying to 'Manage Risk'' From OWASP 2025 (17 Dec 2025)

 

State of Threat Modeling 2024-2025

The first-ever, community-powered report on threat modeling (12 Dec 2025)

 

Windows Links and Usable Security

Some dialogs can harm the viewer (05 Dec 2025)

 

Secure By Design roundup - November 2025

Perspective on CISOs as facilitators, a deep dive into the types of diagrams for medical devices, poetry, Chinese LLMs, Chinese drones and Chinese routers. Do any of them contain secrets? (30 Nov 2025)