Car Safety Factoids
A few thoughts from a clickbait headline
Shostack + Friends Blog
Posts in category “reports and data”
25 Years of CVE
Some thoughts on 25 years of the CVE program
First Workshop on Cyber Public Health
The first workshop on cyber public health was so exciting. Check out the report!
Other comments on the CSRB Microsoft Report
Other people have written about the CSRB report, and I wanted to share their perspectives.
CSRB Report on Microsoft
The CSRB has released its report into an intrusion at Microsoft, and...it’s a doozy.
The British Library’s Incident Review
Thoughts on the British Library incident
Comparing Retrospectives
We can learn a lot from comparing retrospectives
Major Cyber Incidents Investigations
I'm thrilled this how to guide for standing up new investigations is available.
Congratulations to the CSRB!
I'm thrilled the first CSRB report is available.
Ten Questions we hope the CSRB answers
The new Cyber Safety Review Board is an opportunity to get better faster.
Wearing Many Hats
Fascinating history of a transformation in how hackers were seen.
Tracking Company Says 96% of iPhone Users Block Tracking
So there's some good news and some bad news in this story: 'Too Bad, Zuck: Just 4% of U.S. iPhone Users Let Apps Track Them After iOS Update'.
IoT Security & Threat Modeling
Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling.
Mmmm, Pandemic Puppies
Breaking Encryption Myths (EU Commission on Encryption)
Speaking up
The Cyentia Library Relaunches
I'm excited to see that they're Re-introducing the Cyentia Research Library, with cool (new?) features like an RSS feed. There are over 1,000 corporate research reports with data that companies paid to collect, massage, and release in a way they felt would be helpful to the rest of the world.
Threat Research: More Like This
I want to call out some impressive aspects of a report by Proofpoint.
Sonatype Report on DevSecOps
The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness.
How Are Computers Compromised (2020 Edition)
Understanding the way intrusions really happen is a long-standing interest of mine.
SDL Article in CACM
Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works.
Threat Model Thursday: BIML Machine Learning Risk Framework
Risk Framework and Machine Learning
Empirical Evaluation of Secure Development Processes
Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success.
Valuing CyberSecurity Research Datasets
A paper at the Workshop on the Economics of Information Security titled “Valuing CyberSecurity Research Datasets” focuses on the value of the IMPACT data sharing platform at DHS, and how the availability of data shapes research.
DNS Security
I'm happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance.
House Oversight Committee on Equifax
The House Oversight Committee has released a scathing report on Equifax...
Measuring ROI for DMARC
I'm pleased to be able to share work that Shostack + Associates and the Cyentia Institute have been doing for the Global Cyber Alliance.
NTSB on Uber (Preliminary)
[no description provided]
Learning from Near Misses
[no description provided]
Cyber Balance Sheet
[no description provided]
Calls for an NTSB?
[no description provided]
Modeling Attackers and Their Motives
There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. Most readers should, at most, skim their analysis of the perpetrators. Read on for why.