Appsec Roundup - April 2025
Threat modeling. So much threat modeling, and so much more, including foreshadowing of new rules from FDA.
Shostack + Friends Blog
Posts in category “software engineering”
CVE Futures
What’s next for the CVE program?
Appsec Roundup - March 2025
Big news for LLMs in threat modeling!
The Covid pandemic, 5 years on
Thinking about Covid, five years on.
Appsec Roundup - Feb 2025
New releases from DEF CON, the UK’s NCSC, some entertaining AI news, and more!
A New Hope for Threat Modeling, on The CyberTuesday Podcast
Adam was on the CyberTuesday podcast
Appsec Roundup - Jan 2025
An exciting month, with new threat modeling tools, cool thoughts on STAMP, bounds checking, ADRs and more!
Talk at CERIAS
Adam speaking at CERIAS weekdly seminar
Spatial Reasoning and Threat Modeling
Do diagrams leverage the brain in a different way?
Appsec Roundup - Dec 2024
A virtual feast of appsec!
Appsec Roundup - Nov 2024
A virtual feast of appsec!
Patching in 2024
In late 2024, people are being offered a choice of features versus security.
Appsec Roundup - Oct 2024
If you say liability three times, it appears!
OWASP Board 2024
Time to vote for OWASP leadership
Appsec Roundup - September 2024
If you say threat modeling three times, it appears!
Secure Boot and Liability
Secure boot presents questions that should inform the liability conversation
Appsec Roundup - August 2024
The most important stories around threat modeling, appsec and secure by design for August, 2024.
Secure Boot and Secure by Design
The failure to secure boot keys should be a bigger deal.
Appsec Roundup - July 2024
The most important stories around threat modeling, appsec and secure by design for June, 2024.
Appsec Roundup - June 2024
The most important stories around threat modeling, appsec and secure by design for June, 2024.
Scale to Zero
Adam on the Scale to Zero podcast
William Anders
Commemorating William Anders
Security Engineering roundup - May 2024
The most important stories around threat modeling, appsec and secure by design for May, 2024.
Secure by Design roundup - April 2024
A less busy month in appsec, AI, and regulation, but still interesting stories
Eternal sunshine of the spotless LLM
Making an LLM forget is harder than it seems
Secure by Design roundup - March 2024
A busy month in appsec, AI, and regulation.
The NVD Crisis
The NVD is in crisis, and so is patch management. It’s time to modernize.
Application and AI roundup - Feb 2024
A busy month in appsec, AI, and regulation.
Solving Hallucinations
Solving hallucinations in legal briefs is playing on easy mode —— and still too hard
Application and AI roundup - Jan 2024
A busy month+ in appsec, AI, and regulation.
CSRB Senate Hearing
Comments following the Senate’s CSRB hearing
Threat Modeling Capabilities Released
A great new resource for threat modeling
The State of Appsec in 2024
2024 is bringing lots of AI, and Liability, too
Application and AI roundup - November
A threat modeling conference, lots of government appsec guidance, and some updates from Shostack + Associates
C2PA Threat Modeling
What can we learn from the C2PA security considerations document?
Threat Modeling Thursday: Thanksgiving
What can we learn from Gunnar Peterson’s Threat Model for Thanksgiving?
Application and AI roundup - October
Exciting news from the SEC, lots of AI, and lots of threat modeling.
Security Principles in 2023
Principles are lovely, but do they lead us to actionable results?
Application and AI roundup - September
September was a big month in appsec for both memory safety and policy
FDA Final Cyber Guidance is out
The FDA has released their new guidance, which will be broadly impactful.
Comparing Retrospectives
We can learn a lot from comparing retrospectives
Application and AI roundup - August
Lots of interesting work in LLMs (again)
Microsoft Can Fix Ransomware Tomorrow
My latest at Dark Reading draws attention to how Microsoft can fix ransomware tomorrow.
AI will be the high interest credit card of 2023
AppSecPNW 2023
Adam's AppSecPNW 2023 keynote
Phishing Defenses
Phishing behaviors, as observed in the wild.
Application and AI roundup - May
This month runs quite heavy on AI, but the CISA Safe by Design and Default document is going to be important for the next several years.
The Cyber Safety Review Board Should Investigate Major Historical Incidents
Tarah Wheeler and Adam write in CFR
Layoffs in Responsible AI Teams
Some inferences from layoffs in responsible AI teams
Threats Book News and Updates for April
Book signings at RSA, big discounts and more!
Reflecting on Threats: The Frame
Reflecting on the framing of the Threats book
Application Security Roundup - March
A few tools, some thoughts on injection, some standards, and some of Adam’s appsec news.
My David Prouse Moment
Searching my feelings as the audiobook of Threats is released.
Application Security Roundup - Feb
This month is all about memory safety, unless you’re a standards group.
Usable Security and Privacy for Engineers
The new IEEE S+P is all about usable security.
Watermarks
Watermarks show us wierd edges of AI work
Application Security Roundup - January
So many interesting articles from AI to an organizatoion of socio-technical harms, fascinating incident reports about Uber and Circle CI and some history of attack trees.
The Hacker Mind
Adam spoke with Robert Vamosi of The Hacker Mind podcast
Not all developers can be Jedi
Adam joined Paul Roberts on the Conversing Labs podcast
Threats, To The Supply Chain
The threats book is in the supply chain, inconsistently.
Threats Book Launch Party
The live launch party for Threats!
Threats Book is Complete
The serious side of the book
Threat Modeling is Measure Twice, Cut Once
Threat Modeling is the software version of measure twice, cut once.
The Appsec Landscape in 2023
External changes will be driving appsec in 2023. It’s time to frame the decisions in front of you.
Threat Model Thursday: curl
Looking at a threat model for curl, the command line web client.
Fast, Cheap and Good, Redux
A new paper on how fast, cheap and good can combine into something we usually discount.
Human-Centered Security
Threat Modeling for UX Designers with Adam Shostack on Heidi Trost's podcast
GPT-3
The OpenAI chatbot is shockingly improved — its capabilities deserve attention.
GPT-3
Text captured from GPT-3
The Threats book is complete
Threats is almost in bookstores
Application Security Roundup - October and Nov
Interesting reads this month include signals from the administration, a history of appsec by one of the originals, and a longread from Apple about kernel memory design.
Trainings and discounts
People learning together
Application Security Roundup - September
Interesting appsec posts: machine learning, performance, and C4
Threat Modeling for Security Champs
Our next open course is in just a few weeks!
Threat Modeling Training Announcements Fall, 2022
Our fall course offerings
Threats — The Cover
So excited to share the cover with you
Podcast: A Fully Trained Jedi
A fun podcast with the ITSP team.
Application Security Roundup - July
Interesting appsec posts: machine learning, performance, and C4
Major Cyber Incidents Investigations
I'm thrilled this how to guide for standing up new investigations is available.
Congratulations to the CSRB!
I'm thrilled the first CSRB report is available.
Application Security Roundup - June
Interesting appsec posts: from medical devices to bridges.
Application Security Roundup - May
A collection of interesting appsec posts.
FDA Draft Premarket Guidance
The FDA has issued draft guidance for pre-market security
Fast, Cheap + Good Whitepaper
Threat modeling doesn't need to be a slow, heavyweight activity!
Medical Device Threat Modeling Webinar
An important webinar by MDIC about the medical device threat modeling playbook is now available!
25 Years of Appsec - Appsec Global
Adam is delivering the opening keynote for OWASP Global Appsec 2021 with a 25 year restrospective on the history of appsec and a look into its future.
NIST Brings Threat Modeling into the Spotlight
New at Darkreading, a post on NIST and threat modeling
Training discounts!
Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have a discount code for upcoming threat modeling training that can help!
Training - October
Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have upcoming threat modeling training that can help!
25 Years in AppSec: Looking Back
Time flies and things change... A look back on the growth of this industry.
Threat Model Thursday: NIST’s Code Verification Standard
Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future.
Ransomware is Not the Problem
Arbitrarily powerful software -- applications, operating systems -- is a problem, as is preventing it from running on enterprise systems.
Pacific Northwest Appsec Conference
AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria.
IoT Security & Threat Modeling
Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling.
Mmmm, Pandemic Puppies
Irius Risk & Gary McGraw
Dr. Gary McGraw joins the IriusRisk Technical Advisory Board
Vaccines
You may have noticed that my end of the year posts are all science focused. Today, a set of resources on the COVID vaccines.
Breaking Encryption Myths (EU Commission on Encryption)
Speaking up
Training: Threat Modeling for Security Champions
Expanding on our distributed class structure.
The Jenga View of Threat Modeling
I'm happy to announce Shostack + Associate's new, first, corporate white paper! It uses Jenga to explain why threat modeling efforts fail so often.
Sonatype Report on DevSecOps
The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness.
'Best Practices for IoT Security'
There's an interesting new draft, Best Practices for IoT Security: What Does That Even Mean? by Christopher Bellman and Paul C. van Oorschot.
Code: science and production
Phil Bull presents an interesting, generally convincing, argument in 'Why you can ignore reviews of scientific code by commercial software developers', with a couple of exceptions.
SDL Article in CACM
Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works.
Answering 'What Are We Working On' When Remote
How do we replace the in-person whiteboard sessions essential to Threat Modeling when we are distanced and working remotely?
Medical Device Threat Modeling
New training being developed, seeking interest.
Amazon's 'Alexa Built-in' Threat Model
Exploring supply chain threat modeling with Alexa
Threat Modeling Training at Blackhat 2020
At Blackhat this summer, I'll be offering threat modeling training at Blackhat. Last year, these sold out quickly, so don't wait!
Threat Model Thursday: BIML Machine Learning Risk Framework
Risk Framework and Machine Learning
Repudiation Now Live on Linkedin Learning
My course, “Repudiation in Depth” is now live on Linkedin Learning. This is the fourth course in my Learning Threat Modeling series.
Threat Model Thursday: Files
Have you considered the idea that “Files are Fraught With Peril” lately? Maybe you should...
Threat Modeling Thursday: Machine Learning
For my first blog post of 2020, I want to look at threat modeling machine learning systems.
Empirical Evaluation of Secure Development Processes
Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success.
Managed Attribution Threat Modeling
Let's talk CAKED, a threat model for managed attribution.
Medical Device Security Standards
Recently, I've seen four cybersecurity approaches for medical devices, and we can learn by juxtaposing them.
Includes No Dirt: Healthcare Threat Modeling (Thursday)
“Includes No Dirt” is a threat modeling approach by William Dogherty and Patrick Curry of Omada Health, and I've been meaning to write about it since it came out.
Interesting Reads: Risk, Automation, lessons and more!
Just what the title says.
Course announcement: Tampering in Depth!
I'm excited to announce that I'm hitting my STRIDE and Linkedin has released the second course in my in-depth exploration of STRIDE: Tampering.
Training At Embedded Systems Security Days
I'm excited to be teaming up with Alpha Strike and Limes Security to deliver training in Vienna November 6-8.
Actionable Followups from the Capital One Breach
What have we learned and what steps can we take?
NIST on SDLs
Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) from NIST is open for comment.
Safety and Security in Automated Driving
Let’s explore the risks associated with Automated Driving.
The Road to Mediocrity
The road to mediocre writing is paved with over-simplification and distraction.
Threat Modeling as Code
Exploring threat models as code.
Structures, Engineering and Security
J.E. Gordon’s Structures, or Why Things Don’t Fall Down is a fascinating and accessible book. Why don’t things fall down? It turns out this is a simple question with some very deep answers.
CyberSecurity Hall of Fame
[no description provided]
CSO on AppSec at the Speed of Devops
[no description provided]
Games and Cards
[no description provided]
Conway's Law and Software Security
[no description provided]
The DREAD Pirates
[no description provided]
NTSB on Uber (Preliminary)
[no description provided]
Threat Model Thursday: Talking, Dialogue and Review
As we head into RSA, I want to hold the technical TM Thursday post, and talk about how we talk to others in our organizations about particular threat models, and how we frame those conversations.
Security Engineering: Computers versus Bridges
[no description provided]
Gartner on DevSecOps Toolchain
[no description provided]
Ries on Gatekeepers
[no description provided]
Threat Model Thursday: Synopsys
[no description provided]
Threat Modeling Panel at APPSEC Cali 2018
[no description provided]
Speculative Execution Threat Model
[no description provided]
Threat Modeling Tooling from 2017
[no description provided]
Portfolio Thinking: AppSec Radar
[no description provided]
Microsoft's PCI Blueprint
[no description provided]
The Fights We Have to Fight: Fixing Bugs
[no description provided]
Data Flow Diagrams 3.0
[no description provided]
Why is 'Reply' Not the Strongest Signal?
[no description provided]
Emergent Design Issues
[no description provided]
20 Year Software: Engineering and Updates
[no description provided]
Threat Modeling and Architecture
[no description provided]
Open for Business
Recently, I was talking to a friend who wasn't aware that I'm consulting, and so I wanted to share a bit about my new life, consulting!
“Comparing the Usability of Cryptographic APIs”
[no description provided]
Threat Modeling Password Managers
[no description provided]
Secure updates: A threat model
[no description provided]
Threat Modeling Encrypted Databases
[no description provided]
IoT Security Workshop (Seattle, August)
[no description provided]
Maintaining & Updating Software
[no description provided]
The Ultimate Stopping Machine?
[no description provided]
Adam & Chris Wysopal webcast
[no description provided]
Certificate pinning is great in stone soup
[no description provided]
Threat Modeling and Star Wars
[no description provided]
Threat Modeling & IoT
[no description provided]
Cyber Grand Shellphish
[no description provided]
People are The Weakest Link In Security?
[no description provided]