Shostack + Friends Blog

A few thoughts from a clickbait headline (16 Nov 2024)

Some thoughts on 25 years of the CVE program (25 Oct 2024)

The first workshop on cyber public health was so exciting. Check out the report! (17 Jun 2024)

Other people have written about the CSRB report, and I wanted to share their perspectives. (17 Apr 2024)

The CSRB has released its report into an intrusion at Microsoft, and...it’s a doozy. (13 Apr 2024)

Thoughts on the British Library incident (09 Mar 2024)

We can learn a lot from comparing retrospectives (19 Sep 2023)

I'm thrilled this how to guide for standing up new investigations is available. (19 Jul 2022)

I'm thrilled the first CSRB report is available. (14 Jul 2022)

The new Cyber Safety Review Board is an opportunity to get better faster. (09 Feb 2022)

Fascinating history of a transformation in how hackers were seen. (24 Jan 2022)

So there's some good news and some bad news in this story: 'Too Bad, Zuck: Just 4% of U.S. iPhone Users Let Apps Track Them After iOS Update'. (08 May 2021)

Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling. (22 Apr 2021)

(24 Mar 2021)

Speaking up (22 Nov 2020)

I'm excited to see that they're Re-introducing the Cyentia Research Library, with cool (new?) features like an RSS feed. There are over 1,000 corporate research reports with data that companies paid to collect, massage, and release in a way they felt would be helpful to the rest of the world. (22 Jun 2020)

I want to call out some impressive aspects of a report by Proofpoint. (14 Jun 2020)

The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness. (12 Jun 2020)

Understanding the way intrusions really happen is a long-standing interest of mine. (20 May 2020)

Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works. (11 May 2020)

Risk Framework and Machine Learning (27 Feb 2020)

Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success. (07 Dec 2019)

A paper at the Workshop on the Economics of Information Security titled “Valuing CyberSecurity Research Datasets” focuses on the value of the IMPACT data sharing platform at DHS, and how the availability of data shapes research. (26 Jul 2019)

I'm happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance. (13 Jun 2019)

The House Oversight Committee has released a scathing report on Equifax... (11 Dec 2018)

I'm pleased to be able to share work that Shostack + Associates and the Cyentia Institute have been doing for the Global Cyber Alliance. (16 Oct 2018)

[no description provided] (25 May 2018)

[no description provided] (04 Dec 2017)

[no description provided] (18 Apr 2017)

[no description provided] (20 Feb 2017)

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. Most readers should, at most, skim their analysis of the perpetrators. Read on for why. (11 Nov 2014)