What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-02-11 16:13:57 | Repudiation Now Live on Linkedin Learning (lien direct) | My course, “Repudiation in Depth” is now live on Linkedin Learning. This is the fourth course I’ve created, starting with “Learning Threat Modeling“, and courses on “spoofing“, “tampering“, and now, repudiation. (You can probably see where this is going, and I’m making great strides towards the goal. Sorry not sorry.) I’d say it’s not my… | Threat | ||
|
2020-02-06 22:12:39 | Threat Model Thursday: Games (lien direct) | For reasons I can’t quite talk about yet, this has been a super busy time, and I look forward to sharing the exciting developments that have kept me occupied. In the meantime, my friends at Agile Stationery have transcribed a talk that Mark Vinkovits and I gave at AppSec Cali last year. Their posts are… | Threat | ||
|
2020-01-23 01:37:24 | Threat Model Thursday: Files (lien direct) | There’s a fascinating talk by Dan Luu, “Files are Fraught With Peril.” The talk itself is fascinating, in a horrifying, nothing works, we’re going to give up and raise goats now sort of way. He starts from the startling decision of Dropbox to drop support for all Linux filesystems except Ext4. This surprising decision stems… | Threat | ||
|
2020-01-09 23:49:30 | Threat Modeling Thursday: The Human Element (lien direct) | Today’s Threat Modeling Thursday is a podcast! I’m on The Humans of InfoSec Podcast, with Caroline Wong: The Human Element of Threat Modeling. | Threat | ||
|
2020-01-02 17:08:20 | Threat Modeling Thursday: Machine Learning (lien direct) | For my first blog post of 2020, I want to look at threat modeling machine learning systems. Microsoft recently released a set of documents including “Threat Modeling AI/ML Systems and Dependencies” and “Failure Modes in Machine Learning” (the later also available in a more printer-friendly version at arxiv.). These build on last December’s “Securing the… | Threat | ||
|
2019-12-30 19:33:25 | Echo, Threat Modeling and Privacy (lien direct) | I’m featured in (local NPR Affiliate) KUOW’s Primed: Season 3, Episode 8. I appreciate how the sense of fun that many security people bring to their work comes through. For me, it was fun learning about how Elevation of Privilege works for non-techies. (Spoiler: not super-well, you need to select the cards pretty carefully. Maybe… | Threat | ||
|
2019-11-14 00:16:28 | Managed Attribution Threat Modeling (lien direct) | The more I learn about threat modeling, the more I think the toughest part is how we answer the question: “What can go wrong?” Perhaps that’s “finding threats.” Maybe it’s “discovering” or “eliciting” them. Maybe it’s analogizing from threats we know about. I’m not yet even sure what to call it. But what it does… | Threat | ||
|
2019-10-31 03:10:27 | Includes No Dirt: Healthcare Threat Modeling (Thursday) (lien direct) | “Includes No Dirt” is a threat modeling approach by William Dogherty and Patrick Curry of Omada Health, and I’ve been meaning to write about it since it came out. I like that it starts from context — the why this matters: Their goal is to have a single approach to security, privacy, and compliance. Reducing… | Threat | ||
|
2019-10-23 16:21:07 | Who Are We Kidding with Attacker-Centered Threat Modeling? (lien direct) | I’ve spoken for over a decade against “think like an attacker” and the trap of starting to threat model with a list of attackers. And for my threat modeling book, I cataloged every serious grouping of attackers that I was able to find. And as I was reading “12 Ingenious iOS Screen Time Hacks,” I… | Threat | ||
|
2019-10-15 13:21:25 | Interesting Reads: Risk, Automation, lessons and more! (lien direct) | The Cybok project has released its v1 “Risk Management & Governance Knowledge Area”; I was a reviewer. Towards Automated Security Design Flaw Detection is an interesting paper from academics in Belgium and Sweden. Steve Lipner offers “Lessons learned through 15 years of SDL at work“ Charles Wilson has perspective on threat modeling devices in “Does… | Threat | ★★★★ | |
|
2019-10-09 15:17:25 | Quick Threat Model Links October 2019 (lien direct) | Trail of Bits released a threat model for Kubernetes. There’s some context from Aaron Small, who made the project happen. Continuum has a blog and a spreadsheet on threat modeling lambdas (as a category, not specific to Amazon Lambda), and also a post on threat modeling with CAPEC. Ntrepid has released a blog posts on… | Threat | Uber | |
|
2019-09-04 00:15:05 | Threat Modeling Building Blocks (lien direct) | Threat modeling isn’t one task - its a collection of tasks that build on each other to produce more valuable insights. One of the values of the four question frame is that it lets us reduce things into smaller, more assessable building blocks. And in that vein, there are a couple of new, short (4-page),…Continue reading → | Threat | ||
|
2019-08-21 17:11:02 | Interesting Reads, August 19 (lien direct) | If you needed more reasons to move away from using SMS-based authentication, and treating phone companies as trusted, “AT&T employees took over $1 million in bribes to plant malware and unlock millions of smartphones: DOJ“. Abuse reporting systems are being abused. You need to threat model and play the chess game. “How Flat Earthers Nearly…Continue reading → | Malware Threat | ||
|
2019-07-12 15:50:01 | Threat Modeling at Layer 8 (lien direct) | Conflict online — bullying, trolling, threats and the like are everywhere. The media coverage is shifting from “OMG what are we doing about this?!” to “Wow, this is really hard.” (Ayup) I’ve been exploring how to engineer for these problems, and I joined Chris Romeo and Robert Hurlbut to talk about it on the AppSec…Continue reading → | Threat | ||
|
2019-06-13 15:11:02 | DNS Security (lien direct) | I’m happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance. They asked us to look at the value of DNS security, such as when your DNS provider uses threat intel to block malicious sites. It’s surprising how effective it is for…Continue reading → | Threat | ||
|
2019-05-13 17:03:05 | Promoting Threat Modeling Work (lien direct) | Quick: are all the flowers the same species? People regularly ask me to promote their threat modeling work, and I’m often happy to do so, even when I have questions about it. There are a few things I look at before I do, and I want to share some of those because I want to…Continue reading → | Threat | ★★ | |
|
2019-05-07 16:20:02 | Testing Building Blocks (lien direct) | There are a couple of new, short (4-page), interesting papers from a team at KU Leuven including: Knowledge is Power: Systematic Reuse of Privacy Knowledge for Threat Elicitation A Comparison of System Description Models for Data Protection by Design What makes these interesting is that they are digging into better-formed building blocks of threat modeling,…Continue reading → | Threat | ★★★★ | |
|
2019-04-24 21:41:00 | 3 Arguments for Threat Modeling (lien direct) | There’s a great post from my friends at Continuum, “Three Killer Arguments for Adopting Threat Modeling. Their arguments are “Threat Modeling Produces Measurable Security,” “Threat Modeling Done Right Encourages Compliance,” and “Threat Modeling Saves You Money.” (Actually, they have 6.) | Threat | ||
|
2019-04-01 16:31:03 | 20 Years of STRIDE: Looking Back, Looking Forward (lien direct) | “Today, let me contrast two 20-year-old papers on threat modeling. My first paper on this topic, “Breaking Up Is Hard to Do,” written with Bruce Schneier, analyzed smart-card security. We talked about categories of threats, threat actors, assets - all the usual stuff for a paper of that era. We took the stance that “we…Continue reading → | Threat | ||
|
2019-03-19 16:25:03 | Threat Modeling in 2019 (lien direct) | RSA has posted a video of my talk, “Threat Modeling in 2019” | Threat | ||
|
2019-03-13 18:24:05 | A Seat At The Table (AppSecCali) (lien direct) | The fine folks at AppSecCali have posted videos, including my talks, A Seat At The Table, and Game On! Adding Privacy to Threat Modeling – Adam Shostack & Mark Vinkovits | Threat | ||
|
2019-02-28 18:59:03 | Adam @ RSA (lien direct) | At RSA, I’ll be speaking 3 times at the conference, and once at a private event for Continuum: “2028 Future State: Long Live the Firewall?” with Jennifer Minella, Harry Sverdlove and Marcus Ranum. March 5 | 1:00 PM – 1:50 PM | Moscone West 3001 Threat modeling brunch with IriusRisk March 6 | 10 –…Continue reading → | Threat | ||
|
2019-02-24 19:40:05 | What Should Training Cover? (lien direct) | Chris Eng said “Someone should set up a GoFundMe to send whoever wrote the hit piece on password managers to a threat modeling class.” And while it’s pretty amusing, you know, I teach threat modeling classes. I spend a lot of time crafting explicit learning goals, considering and refining instructional methods, and so when a…Continue reading → | Threat | ||
|
2019-02-13 16:31:03 | Podcast: DevSecOps (lien direct) | I did a podcast with Mark Miller over at DevSecOps days. It was a fun conversation, and you can have a listen at “Anticipating Failure through Threat Modeling w/ Adam Shostack.” | Threat | ||
|
2019-02-06 23:36:00 | Nature and Nurture in Threat Modeling (lien direct) | Josh Corman opened a bit of a can of worms a day or two ago, asking on Twitter: “pls RT: who are the 3-5 best, most natural Threat Modeling minds? Esp for NonSecurity people. @adamshostack is a given.” (Thanks!) What I normally say to this is I don’t think I’m naturally good at finding replay…Continue reading → | Threat | ||
|
2019-01-31 21:25:04 | Threat Modeling: Attackers May Adapt, Respond (lien direct) | This is a really interesting post* about how many simple solutions to border security fail in the real world. Not everywhere has the infrastructure necessary to upload large datasets to the cloud Most cloud providers are in not-great jurisdictions for some threat models. Lying to border authorities, even by omission, ends badly. Fact is, the…Continue reading → | Threat | ||
|
2019-01-23 16:10:02 | Threat Modeling as Code (lien direct) | Omer Levi Hevroni has a very interesting post exploring ways to represent threat models as code. The closer threat modeling practices are to engineering practices already in place, the more it will be impactful, and the more it will be a standard part of delivery. There’s interesting work in both transforming threat modeling thinking into…Continue reading → | Threat | ||
|
2019-01-10 16:39:01 | IriusRisk 2.0 (lien direct) | I’m excited to be able to share “Announcement: IriusRisk Threat Modeling Platform 2.0 Released.” If you’re looking to scale your enterprise threat modeling program, this is worth a look. | Threat | ||
|
2019-01-02 21:20:04 | Scaling Threat Modeling Training (lien direct) | For the last few years, I’ve been delivering in-person threat modeling training. I’ve trained groups ranging from 2 to 100 people at a time, and I’ve done classes as short as a few hours and as long as a week. That training is hands on and intense, and I’m very proud that my NPS customer … Continue reading "Scaling Threat Modeling Training" | Threat | ★★ | |
|
2018-12-12 21:39:03 | Resources for Infosec Skillbuilding (lien direct) | Thanks to the kind folks Digital Guardian for including my threat modeling book in their list of “The Best Resources for InfoSec Skillbuilding.” It’s particularly gratifying to see that the work is standing the test of time. | Threat | ||
|
2018-11-15 19:11:00 | Threat Modeling in 2018 (video release) (lien direct) | Blackhat has released all the 2018 US conference videos. My threat modeling in 2018 video is, of course, amongst them. Slides are linked here. | Threat | ||
|
2018-10-29 15:43:00 | Podcast with Ron Woerner (lien direct) | Ron Woerner had me on as a guest in his business of security podcast series. It was fun to tease out some of the business justifications for threat modeling, and the podcast is now live at itunes. You can learn more about the series at Business of Security Podcast Series. | Threat | ||
|
2018-10-16 21:19:00 | Measuring ROI for DMARC (lien direct) | I’m pleased to be able to share work that Shostack & Associates and the Cyentia Institute have been doing for the Global Cyber Alliance. In doing this, we created some new threat models for email, and some new statistical analysis of It shows the 1,046 domains that have successfully activated strong protection with GCA's DMARC … Continue reading "Measuring ROI for DMARC" | Threat | ||
|
2018-10-04 17:49:00 | The Architectural Mirror (Threat Model Thursdays) (lien direct) | A few weeks ago, I talked about “reflective practice in threat modeling“, thinking about how we approach the problems we face, and asking if our approaches are the best we can do. Sometimes it’s hard to reflect. It’s hard to face the mirror and say ‘could I have done that better?’ That’s human nature. Sometimes, … Continue reading "The Architectural Mirror (Threat Model Thursdays)" | Threat | ||
|
2018-09-14 11:34:02 | Reflective Practice and Threat Modeling (Threat Model Thursday) (lien direct) | Lately, I’ve been asking what takes threat modeling from a practice to a mission. If you’re reading this blog, you may have seen that some people are nearly mad about threat modeling. The ones who say “you’re never done threat modeling.” The ones who’ve made it the center of their work practice. What distinguishes those … Continue reading "Reflective Practice and Threat Modeling (Threat Model Thursday)" | Threat | ||
|
2018-08-23 22:55:05 | Threat Model Thursday: Legible Architecture (lien direct) | The image above is the frequency with which streets travel a certain orientation, and it’s a nifty data visualization by Geoff Boeing. What caught my attention was not just the streets of Boston and Charlotte, but the lack of variability shown for Seattle, which is a city with two grids. But then there was this … Continue reading "Threat Model Thursday: Legible Architecture" | Threat | ||
|
2018-08-13 17:11:04 | Threat Modeling in 2018: Attacks, Impacts and Other Updates (lien direct) | The slides from my Blackhat talk, “Threat Modeling in 2018: Attacks, Impacts and Other Updates” are now available either as a PDF or online viewer. | Threat | ||
|
2018-07-31 15:56:03 | Summer Reading List (lien direct) | I’m honored to have my threat modeling book on this short list with Daniel Kahneman, Tony Hsieh, Nicole Forsgren, and Tom DeMarco: “Summer Reading List: Top Recommendations from our Engineers.” | Threat | ||
|
2018-07-30 18:17:05 | CyberSecurity 2.0 Humble Bundle (lien direct) | Cybersecurity 2.0 is a new promo from Humble Bundle. Nearly $800 worth of books, including my Threat Modeling, Schneier’s Secrets and Lies, and a whole lot more! | Threat | ||
|
2018-07-12 21:52:02 | Threat Modeling Thursday: 2018 (lien direct) | So this week’s threat model Thursday is simply two requests: What would you like to see in the series? What would you like me to cover in my Blackhat talk, “Threat Modeling in 2018?” “Attacks always get better, and that means your threat modeling needs to evolve. This talk looks at what’s new and important … Continue reading "Threat Modeling Thursday: 2018" | Threat | ||
|
2018-07-05 17:10:01 | Threat Model Thursdays: Crispin Cowan (lien direct) | Over at the Leviathan blog, Crispin Cowan writes about “The Calculus Of Threat Modeling.” Crispin and I have collaborated and worked together over the years, and our approaches are explicitly aligned around the four question frame. What are we working on? One of the places where Crispin goes deeper is definitional. He’s very precise about … Continue reading "Threat Model Thursdays: Crispin Cowan" | Threat Industrial | APT 40 | |
|
2018-06-21 16:21:02 | Threat Model Thursday: Architectural Review and Threat Modeling (lien direct) | For Threat Model Thursday, I want to use current events here in Seattle as a prism through which we can look at technology architecture review. If you want to take this as an excuse to civilly discuss the political side of this, please feel free. Seattle has a housing and homelessness crisis. The cost of … Continue reading "Threat Model Thursday: Architectural Review and Threat Modeling" | Threat |
To see everything:
Our RSS (filtrered)
