What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-06-16 13:38:18 | The Jenga View of Threat Modeling (lien direct) | I’m happy to announce Shostack & Associate’s new, first, corporate white paper!It uses Jenga to explain why threat modeling efforts fail so often. I’m excited for a lot of reasons. I care about learning from failure. I love games as teaching tools. But really, I’m excited because the paper has helped the people who read… | Threat | ||
|
2020-06-14 18:57:14 | Threat Research: More Like This (lien direct) | I want to call out some impressive aspects of a report by Proofpoint: TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware. There are many praise-worthy aspects of this report, starting from the amazing lack of hyperbole, and the focus on facts, rather than opinions. The extraordinary lack of adjectives… | Threat | ||
|
2020-06-12 17:57:33 | Sonatype Report on DevSecOps (lien direct) | The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness. But even more important is my belief that to reach developers Star Wars is better than Star Trek is confirmed. No bias there. | |||
|
2020-06-09 16:15:37 | Contextualisation of Data Flow Diagrams… (lien direct) | Contextualisation of Data Flow Diagrams for security analysis is a new paper to which I contributed: “Abstract: Data flow diagrams (DFDs) are popular for sketching systems for subsequent threat modelling. Their limited semantics make reasoning about them difficult, but enriching them endangers their simplicity and subsequent ease of take up. We present an approach for… | Threat | ||
|
2020-06-08 23:01:45 | “Best Practices for IoT Security” (lien direct) | There’s an interesting new draft, Best Practices for IoT Security:What Does That Even Mean? It’s by Christopher Bellman and Paul C. van Oorschot. The abstract starts: “Best practices for Internet of Things (IoT) security have recently attracted considerable attention worldwide from industry and governments, while academic research has highlighted the failure of many IoT product… | |||
|
2020-06-04 20:50:03 | Evidence Based Security (lien direct) | As security professionals, have we ever sat down and truly made an effort to empirically determine what controls are actually effective in our environment and what controls do very little to protect our environment or, worse yet, actually work to undermine our security. That’s from The Need for Evidence Based Security, by Chris Frenz, is… | |||
|
2020-06-03 17:31:06 | One Bad Apple (lien direct) | I generally try to stay on technical topics, because my understanding is that’s what readers want. But events are overwhelming and I believe that not speaking out is now a political choice. I want to start from this Chris Rock video: I hadn’t seen it before, but I have spent a lot of time studying… | |||
|
2020-05-28 15:27:39 | SLR as a Webcam (lien direct) | As I built out my home studio to record videos for my distributed classes, I was lucky enough to be able to find an in-stock HDMI capture card, but those are harder and harder to find. As it turns out, you may be able to avoid the need for that with a mix of apps.… | |||
|
2020-05-26 14:46:34 | Code: science and production (lien direct) | There’s an interesting article by Phil Bull, “Why you can ignore reviews of scientific code by commercial software developers“. It’s an interesting, generally convincing argument, with a couple of exceptions. (Also worth remembering: What We Can Learn From the Epic Failure of Google Flu Trends.) The first interesting point is the difference between production code… | |||
|
2020-05-20 14:53:28 | How Are Computers Compromised (2020 Edition) (lien direct) | Understanding the way intrusions really happen is a long-standing interest of mine. This is quite a different set of questions compared to “how long does it take to detect,” or “how many records are stolen?” How the intrusion happens is about questions like: Is it phishing emails that steal creds? Email attachments with exploits? SQL… | |||
|
2020-05-14 19:29:40 | Models and Accuracy (Threat Modeling Thursday) (lien direct) | For Threat Model Thursday, I want to look at models and modeling in a tremendously high-stakes space: COVID models. There are a lot of them. They disagree. Their accuracy is subject to a wide variety of interventions. (For example, few disease models forecast a politicized response to the disease, or a massively inconsistent response within… | Threat | ||
|
2020-05-13 19:55:09 | NCSC on Good Architecture Diagrams (lien direct) | The UK’s National Computer Security Center has a blog post on Drawing good architecture diagrams. | |||
|
2020-05-11 17:33:38 | SDL Article in CACM (lien direct) | Most of my time, I’m helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we’re early in developing the science around how to build an SDL that works. That’s why I spend time working with academics who can objectively study what we’re working… | |||
|
2020-05-08 17:26:36 | Bounce and Range (lien direct) | I want to talk about two books: Bounce, by Matthew Syed and Range, by David Epstein. I want to talk about them together in part because Range is explicitly framed as a response to Bounce. Bounce is focused on the relationship between talent and training. Syed starts with a discussion of ping pong stars, and… | |||
|
2020-05-04 17:57:51 | The World Needs Hope (lien direct) | A New Hope, even! Happy Star Wars Day! | |||
|
2020-04-23 16:45:26 | Threat Model Thursday: Data Flow Diagrams (lien direct) | This week’s threat model Thursday looks at an academic paper, Security Threat Modeling: Are Data Flow Diagrams Enough? by Laurens Sion and colleagues. The short (4 page), readable paper looks at the strengths and weaknesses of forms of DFDs, and what we might achieve with variations on the form and different investments of effort. I… | Threat | ||
|
2020-04-14 20:27:45 | Worthwhile Books (Q1 2020) (lien direct) | These are the books I read in the first quarter (and forgot to mention last quarter) that I think are worth your time. Cyber Secrets of a Cyber Security Architect, by Brook S. E. Schoenfield. I was honored to write the Forward, and think there’s a great deal of hard-won wisdom. Sandworm, by Andy Greenberg.… | |||
|
2020-04-02 20:58:13 | Power Dynamics in Threat Modeling (lien direct) | On Linkedin, Peter Dowdall had a very important response to my post on remote threat modeling. Because comments on Linkedin are a transient resource, I’m going to quote heavily: The team here ran a session with people in the same room using Miro (maybe 1 remote) and we found it stripped the barriers of either… | Threat | ||
|
2020-03-30 15:40:37 | Answering “What Are We Working On” When Remote (lien direct) | Practicing physical distancing has already dramatically changed how we work, and will continue to do so. Being physically distant means we can’t use a whiteboard to help us talk through “what are we working on?” There are technical facets of threat modeling, like using visual models to show and scope “what are we working on?”… | Threat | ||
|
2020-03-26 16:37:24 | Medical Device Threat Modeling (lien direct) | Threat modeling figures heavily in the FDA’s thinking. It’s been part of the first cybersecurity pre-market guidance, it was a big part of the workshop on ‘content of premarket submissions,’ etc. There have been lots of questions about how to make that happen. I’ve been working with the FDA and the MDIC, and we have… | Threat | ||
|
2020-03-23 18:14:16 | The COVID Pandemic (lien direct) | I know many readers are here for the threat modeling, and I could claim that this is the “what are we going to do about it” post, which it is, but I don’t want to have to blog all threat modeling all the time. So this is the “Seattle is a month into COVID-19” post.… | Threat | ||
|
2020-03-19 17:56:01 | Threat Modeling with Questionnaires (lien direct) | This post comes from a conversation I had on Linkedin with Clint Gibler. He wrote: One challenge I’ve heard from a number of companies is that, with say 3-5 AppSec engineers supporting 500 – 1000 devs, you can’t TM every story, or even every epic. So what do you focus on? The high risk /… | Threat | ||
|
2020-03-17 16:15:46 | Free Threat Modeling Training (lien direct) | The current situation is scary and anxiety-provoking, and I can’t do much to fix that. One thing I can do is give people a chance to learn, and so I’m making my Linkedin Learning classes free this week. (I’m told that each class is free for the day, so you’ll need to watch each within… | Threat | ||
|
2020-03-05 16:36:17 | Amazon\'s “Alexa Built-in” Threat Model (lien direct) | Amazon has released a set of documents, “Updates to Device Security Requirements for Alexa Built-in Products.” I want to look at these as a specific way to express a threat model, which is threat modeling along the supply chain, talk about the proliferation of this different kind of model, and what it means for engineering.… | Threat | ||
|
2020-03-02 17:01:27 | Threat Modeling Training at Blackhat 2020 (lien direct) | At Blackhat this summer, I’ll be offering threat modeling training at Blackhat. Last year, these sold out quickly, so don’t wait! This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start threat modeling early on day 1, followed by an understanding of traps that they… | Threat | ||
|
2020-02-27 16:15:18 | Threat Model Thursday: BIML Machine Learning Risk Framework (lien direct) | The Berryville Institute of Machine Learning (BIML) has released “An Architectural Risk Analysis of Machine Learning Systems.” This is an important step in the journey to systematic, structured, and comprehensive security analysis of machine learning systems, and we can contrast it with the work at Microsoft I blogged about last month. As always, my goal… | Threat | ||
|
2020-02-26 16:37:17 | Blackhat and Human Factors (lien direct) | As a member of the BlackHat Review Board, I would love to see more work on Human Factors presented there. Over the past few years, we've developed an interesting track with good material year over year. The 2020 call for papers is open and closes April 6th. I wrote a short blog post on what… | |||
|
2020-02-11 16:13:57 | Repudiation Now Live on Linkedin Learning (lien direct) | My course, “Repudiation in Depth” is now live on Linkedin Learning. This is the fourth course I’ve created, starting with “Learning Threat Modeling“, and courses on “spoofing“, “tampering“, and now, repudiation. (You can probably see where this is going, and I’m making great strides towards the goal. Sorry not sorry.) I’d say it’s not my… | Threat | ||
|
2020-02-06 22:12:39 | Threat Model Thursday: Games (lien direct) | For reasons I can’t quite talk about yet, this has been a super busy time, and I look forward to sharing the exciting developments that have kept me occupied. In the meantime, my friends at Agile Stationery have transcribed a talk that Mark Vinkovits and I gave at AppSec Cali last year. Their posts are… | Threat | ||
|
2020-01-23 01:37:24 | Threat Model Thursday: Files (lien direct) | There’s a fascinating talk by Dan Luu, “Files are Fraught With Peril.” The talk itself is fascinating, in a horrifying, nothing works, we’re going to give up and raise goats now sort of way. He starts from the startling decision of Dropbox to drop support for all Linux filesystems except Ext4. This surprising decision stems… | Threat | ||
|
2020-01-16 15:00:38 | Cryptographic Excitement (lien direct) | In the last few days, we’ve seen two big stories in the realm of cryptography. The first is that SHA-1 breaks are now practical, and those practical breaks impact things like PGP and git. If you have code that depends on SHA-1, its time to fix that. If you have a protocol that uses SHA1,… | |||
|
2020-01-15 19:44:52 | Enter the SpudNet (lien direct) | Spudnet is a new game to teach networking and security concepts. The creators were kind enough to send me a pre-production copy, and I can tell you – it looks and feels super solid, and, more importantly, it plays well. The Kickstarter has already met its goals, and while all Kickstarters have risk, the creators… | |||
|
2020-01-12 08:19:45 | 100,00 Moon Shots (lien direct) | Andrew McCarthy has an amazing and impressive photographs of the moon on Instagram. To call these photographs is somewhat provocative. In his trilogy, Ansel Adams focuses (sorry! Not sorry) on the camera, the negative, and the print. In The Negagive, he specifically discusses exposing film to light in controlled ways that caused chemical reactions on… | |||
|
2020-01-09 23:49:30 | Threat Modeling Thursday: The Human Element (lien direct) | Today’s Threat Modeling Thursday is a podcast! I’m on The Humans of InfoSec Podcast, with Caroline Wong: The Human Element of Threat Modeling. | Threat | ||
|
2020-01-02 17:08:20 | Threat Modeling Thursday: Machine Learning (lien direct) | For my first blog post of 2020, I want to look at threat modeling machine learning systems. Microsoft recently released a set of documents including “Threat Modeling AI/ML Systems and Dependencies” and “Failure Modes in Machine Learning” (the later also available in a more printer-friendly version at arxiv.). These build on last December’s “Securing the… | Threat | ||
|
2019-12-30 19:33:25 | Echo, Threat Modeling and Privacy (lien direct) | I’m featured in (local NPR Affiliate) KUOW’s Primed: Season 3, Episode 8. I appreciate how the sense of fun that many security people bring to their work comes through. For me, it was fun learning about how Elevation of Privilege works for non-techies. (Spoiler: not super-well, you need to select the cards pretty carefully. Maybe… | Threat | ||
|
2019-12-13 23:06:38 | Star Wars Episode 9 is a week away! (lien direct) | Emily Asher-Perrin has some of the most interesting writing on the Star Wars universe. I like her analysis of where Rey may come from in Rey Should Choose to Adopt the Skywalker Name, Not Be Retconned Into the Family. I half look forward to the day when Disney assimilates her into the official writing team.… | |||
|
2019-12-11 18:10:41 | Encryption & Privacy Policy and Technology (lien direct) | The Open Technology Institute has an Open Letter to Law Enforcement in the U.S., UK, and Australia: Weak Encryption Puts Billions of Internet Users at Risk. (press release, letter.) I am pleased to be one of the signers. In closely related news, nominations for the 2020 Caspar Bowden Award for Outstanding Research in Privacy Enhancing… | |||
|
2019-12-07 16:48:24 | Empirical Evaluation of Secure Development Processes (lien direct) | Earlier this year, I helped to organize a workshop at Schloss Dagstuhl on Empirical Evaluation of Secure Development Processes. I think the workshop was a tremendous success, we’ve already seen publications inspired by it, such as Moving Fast and Breaking Things: How to stop crashing more than twice, and I know there’s more forthcoming. I’m… | |||
|
2019-12-03 04:54:25 | Goodbye, Feedburner (lien direct) | Over the years, a number of people set up Feedburner accounts to proxy RSS from our blogs into their system. I generally have no issue with people reading how they choose, but I cannot provide support or management. Google is end of lifing the old Feedburner, and for those of you reading via Feedburner RSS,… | |||
|
2019-12-01 15:47:12 | Books Worth Your Time (Q4) (lien direct) | Cyber The Huawei and Snowden Questions, by Olav Lysne is a deep dive into what happens when an untrusted vendor builds your trusted computing base, and more importantly, why a great many of the “obvious” ways to address those risks are subject to easy work-arounds. This is unhappy news for Huawei, but more importantly, as… | |||
|
2019-11-30 17:50:13 | The Gavle Goat is up (lien direct) | For 51 years, the gallant people of Gavle, Sweden, have been putting up a straw goat, and arsonists have been burning it. Apparently, they didn’t have Twitter back then, and needed alternate ways to get into flame wars. Previously: Gavle Goat at Shostack & Friends. | |||
|
2019-11-26 21:34:00 | Han Solo, Frozen in Carbonite (lien direct) | Apparently, someone was baked at Williams Sonoma. | |||
|
2019-11-14 00:16:28 | Managed Attribution Threat Modeling (lien direct) | The more I learn about threat modeling, the more I think the toughest part is how we answer the question: “What can go wrong?” Perhaps that’s “finding threats.” Maybe it’s “discovering” or “eliciting” them. Maybe it’s analogizing from threats we know about. I’m not yet even sure what to call it. But what it does… | Threat | ||
|
2019-11-06 11:15:00 | Message Sequence Charts (lien direct) | I was not aware that the ITU had formalized swim lane diagrams into Message Sequence Charts. While you don’t need to use these formalizations, the choices they made, and the comparisons to UML’s diagrams can be interesting, especially if there are tricky corners where you’re having trouble modeling some flow. For example, “They work particularly… | |||
|
2019-11-02 00:15:53 | Medical Device Security Standards (lien direct) | Recently, I’ve seen four cybersecurity approaches for medical devices, and we can learn by juxtaposing them. The Principles and Practices for Medical Device Cybersecurity is a process-centered and comprehensive document from the International Medical Device Regulators Forum. It covers pre- and post- market considerations, as well as information sharing and coordinated vuln disclosure. It’s important… | |||
|
2019-10-31 03:10:27 | Includes No Dirt: Healthcare Threat Modeling (Thursday) (lien direct) | “Includes No Dirt” is a threat modeling approach by William Dogherty and Patrick Curry of Omada Health, and I’ve been meaning to write about it since it came out. I like that it starts from context — the why this matters: Their goal is to have a single approach to security, privacy, and compliance. Reducing… | Threat | ||
|
2019-10-28 16:07:10 | Interesting finds: Liberalism, machine learning, encryption and learning (lien direct) | The Economist Reflects on Liberalism is the sort of in-depth writing and thinking that makes the magazine so great: “Reinventing Liberalism for the 21st century.” Evading Machine Learning Malware Classifiers, from the winner of the Defcon Machine Learning Static Evasion Competition. The general counsel of the NSA and former general counsel of the FBI have… | Malware | ||
|
2019-10-23 16:21:07 | Who Are We Kidding with Attacker-Centered Threat Modeling? (lien direct) | I’ve spoken for over a decade against “think like an attacker” and the trap of starting to threat model with a list of attackers. And for my threat modeling book, I cataloged every serious grouping of attackers that I was able to find. And as I was reading “12 Ingenious iOS Screen Time Hacks,” I… | Threat | ||
|
2019-10-15 13:21:25 | Interesting Reads: Risk, Automation, lessons and more! (lien direct) | The Cybok project has released its v1 “Risk Management & Governance Knowledge Area”; I was a reviewer. Towards Automated Security Design Flaw Detection is an interesting paper from academics in Belgium and Sweden. Steve Lipner offers “Lessons learned through 15 years of SDL at work“ Charles Wilson has perspective on threat modeling devices in “Does… | Threat | ★★★★ |
To see everything:
Our RSS (filtrered)
