Shostack + Friends Blog

 

Posts in category “software engineering”

 

Appsec Roundup - April 2025

Threat modeling. So much threat modeling, and so much more, including foreshadowing of new rules from FDA.

 
 
 
 
 
 

Appsec Roundup - Jan 2025

An exciting month, with new threat modeling tools, cool thoughts on STAMP, bounds checking, ADRs and more!

 
 
 
 
 

Patching in 2024

In late 2024, people are being offered a choice of features versus security.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

The NVD Crisis

The NVD is in crisis, and so is patch management. It’s time to modernize.

 
 

Solving Hallucinations

Solving hallucinations in legal briefs is playing on easy mode —— and still too hard

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Application and AI roundup - May

This month runs quite heavy on AI, but the CISA Safe by Design and Default document is going to be important for the next several years.

 
 
 
 
 
 
 
 
 

Watermarks

Watermarks show us wierd edges of AI work

 

Application Security Roundup - January

So many interesting articles from AI to an organizatoion of socio-technical harms, fascinating incident reports about Uber and Circle CI and some history of attack trees.

 
 
 
 
 
 
 
 
 
 
 

GPT-3

The OpenAI chatbot is shockingly improved — its capabilities deserve attention.

 

GPT-3

Text captured from GPT-3

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

25 Years of Appsec - Appsec Global

Adam is delivering the opening keynote for OWASP Global Appsec 2021 with a 25 year restrospective on the history of appsec and a look into its future.

 
 

Training discounts!

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have a discount code for upcoming threat modeling training that can help!

 

Training - October

Are you tired of escalations and fights after pen tests find crucial security issues at the last minute? I have upcoming threat modeling training that can help!

 
 

Threat Model Thursday: NIST’s Code Verification Standard

Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future.

 

Ransomware is Not the Problem

Arbitrarily powerful software -- applications, operating systems -- is a problem, as is preventing it from running on enterprise systems.

 

Pacific Northwest Appsec Conference

AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria.

 

IoT Security & Threat Modeling

Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling.

 
 
 

Vaccines

You may have noticed that my end of the year posts are all science focused. Today, a set of resources on the COVID vaccines.

 
 
 

The Jenga View of Threat Modeling

I'm happy to announce Shostack + Associate's new, first, corporate white paper! It uses Jenga to explain why threat modeling efforts fail so often.

 

Sonatype Report on DevSecOps

The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness.

 

'Best Practices for IoT Security'

There's an interesting new draft, Best Practices for IoT Security: What Does That Even Mean? by Christopher Bellman and Paul C. van Oorschot.

 

Code: science and production

Phil Bull presents an interesting, generally convincing, argument in 'Why you can ignore reviews of scientific code by commercial software developers', with a couple of exceptions.

 

SDL Article in CACM

Most of my time, I'm helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we're early in developing the science around how to build an SDL that works.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

NIST on SDLs

Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) from NIST is open for comment.

 
 
 
 

Structures, Engineering and Security

J.E. Gordon’s Structures, or Why Things Don’t Fall Down is a fascinating and accessible book. Why don’t things fall down? It turns out this is a simple question with some very deep answers.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Open for Business

Recently, I was talking to a friend who wasn't aware that I'm consulting, and so I wanted to share a bit about my new life, consulting!