What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2019-10-09 15:17:25 | Quick Threat Model Links October 2019 (lien direct) | Trail of Bits released a threat model for Kubernetes. There’s some context from Aaron Small, who made the project happen. Continuum has a blog and a spreadsheet on threat modeling lambdas (as a category, not specific to Amazon Lambda), and also a post on threat modeling with CAPEC. Ntrepid has released a blog posts on… | Threat | Uber | |
|
2019-10-02 15:27:50 | OWASP Portland: Talk and Podcast (lien direct) | Podcast with me by OWASP’s Portland, Oregon Chapter in advance of me speaking at their meeting October 9. You can… | |||
|
2019-09-18 15:31:07 | Interesting reads (lien direct) | There were widely circulated reports of voice cloning being used in phishing. I’ve been predicting these for a while (Threat… | |||
|
2019-09-11 02:56:05 | Capture the Flag events and eSports (lien direct) | Looking at what is popular with smaller niche crowds can give greater insight into the “next thing”. This natural selection… | |||
|
2019-09-10 15:57:02 | Course announcement: Tampering in Depth! (lien direct) | I’m excited to announce that I’m hitting my STRIDE and Linkedin has released the second course in my in-depth exploration of STRIDE: Tampering. I’m finding it fascinating to dive deep into the threats, organize my knowledge, and in doing so, hopefully help us chunk and remember what we’re learning. | |||
|
2019-09-04 00:15:05 | Threat Modeling Building Blocks (lien direct) | Threat modeling isn’t one task - its a collection of tasks that build on each other to produce more valuable insights. One of the values of the four question frame is that it lets us reduce things into smaller, more assessable building blocks. And in that vein, there are a couple of new, short (4-page),…Continue reading → | Threat | ||
|
2019-08-21 17:11:02 | Interesting Reads, August 19 (lien direct) | If you needed more reasons to move away from using SMS-based authentication, and treating phone companies as trusted, “AT&T employees took over $1 million in bribes to plant malware and unlock millions of smartphones: DOJ“. Abuse reporting systems are being abused. You need to threat model and play the chess game. “How Flat Earthers Nearly…Continue reading → | Malware Threat | ||
|
2019-08-15 18:17:00 | Training At Embedded Systems Security Days (lien direct) | I’m excited to be teaming up with Alpha Strike and Limes Security to deliver training in Vienna November 6-8. Details are available at Embedded Systems Security Days. | |||
|
2019-07-30 22:40:02 | Actionable Followups from the Capital One Breach (lien direct) | Alexandre Sieira has some very interesting and actionable advice from looking at the Capital One Breach in “Learning from the July 2019 Capital One Breach.” Alex starts by saying “The first thing I want to make clear is that I sympathize with the Capital One security and operations teams at this difficult time. Capital One…Continue reading → | |||
|
2019-07-26 19:03:04 | Valuing CyberSecurity Research Datasets (lien direct) | There was a really interesting paper at the Workshop on the Economics of Information Security. The paper is “Valuing CyberSecurity Research Datasets.” The paper focuses on the value of the IMPACT data sharing platform at DHS, and how the availability of data shapes the research that’s done. On its way to that valuation, a very…Continue reading → | |||
|
2019-07-20 14:50:05 | Happy Apollo Day! (lien direct) | Today is the 50th Anniversary of “One small step for a man, one giant leap for mankind.” It’s an event worth celebrating, in the same way we celebrate Yuri’s Night. The holy days — the holidays — that we celebrate say a great deal about us. They shape who we are. The controversies that emerge…Continue reading → | |||
|
2019-07-15 01:00:01 | Books Worth Reading: Q2 2019 (Apollo Edition) (lien direct) | A Man on the Moon, Andrew Chaikin is probably the best of the general histories of the moon landings. Failure is not an Option, by Gene Kranz, who didn’t actually say that during Apollo 13. Marketing The Moon by David Scott and Richard Jurek. I was surprised what a good history this was, and how…Continue reading → | |||
|
2019-07-12 15:50:01 | Threat Modeling at Layer 8 (lien direct) | Conflict online — bullying, trolling, threats and the like are everywhere. The media coverage is shifting from “OMG what are we doing about this?!” to “Wow, this is really hard.” (Ayup) I’ve been exploring how to engineer for these problems, and I joined Chris Romeo and Robert Hurlbut to talk about it on the AppSec…Continue reading → | Threat | ||
|
2019-07-11 17:39:00 | NIST on SDLs (lien direct) | There’s a new draft available from NIST, “Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF).” They are accepting comments through August 5th. | |||
|
2019-07-08 18:15:04 | Safety and Security in Automated Driving (lien direct) | “Safety First For Automated Driving” is a big, over-arching whitepaper from a dozen automotive manufacturers and suppliers. One way to read it is that those disciplines have strongly developed safety cultures, which generally do not consider cybersecurity problems. This paper is the cybersecurity specialists making the argument that cyber will fit into safety, and how…Continue reading → | |||
|
2019-07-05 20:51:03 | The Road to Mediocrity (lien direct) | Google Docs has chosen to red-underline the word “feasible,” which, as you can see, is in its dictionary, to suggest “possible.” “Possible,” possibly, was not the word I selected, because it means something different. Good writing is direct. Good writing respects the reader. Good writing doesn’t tax the reader accidentally. It uses simple words when…Continue reading → | |||
|
2019-07-04 16:56:03 | The Unanimous Declaration of the Thirteen United States of America (lien direct) | (Reading the declaration of independence is a useful reminder of why we chose to dissolve the political bands that connected us to another. It’s not about jingoism, or the results of a plebiscite, but about a “long train of abuses and usurpations, pursuing invariably the same Object,” and the proper response to such acts.) In…Continue reading → | |||
|
2019-06-26 16:17:02 | Passwords Advice (lien direct) | Bruce Marshall has put together a comparison of OWASP ASVS v3 and v4 password requirements: OWASP ASVS 3.0 & 4.0 Comparison. This is useful in and of itself, and is also the sort of thing that more standards bodies should do, by default. It’s all too common to have a new standard come out without…Continue reading → | |||
|
2019-06-19 22:32:02 | Happy Juneteenth! (lien direct) | Juneteenth is the celebration of the end of slavery in the US. We should have more holidays that celebrate freedom for the sake of freedom. So happy Juneteenth, everyone! | |||
|
2019-06-13 15:11:02 | DNS Security (lien direct) | I’m happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance. They asked us to look at the value of DNS security, such as when your DNS provider uses threat intel to block malicious sites. It’s surprising how effective it is for…Continue reading → | Threat | ||
|
2019-06-07 05:22:04 | When security goes off the rails (lien direct) | New at Dark Reading, my When Security Goes Off the Rails, Cyber can learn a lot from the highly regulated world of rail travel. The most important lesson: the value of impartial analysis. (As I watch the competing stories, “Baltimore City leaders blame NSA for ransomware attack ,” and “N.S.A. Denies Its Cyberweapon Was Used…Continue reading → | Ransomware Guideline | ||
|
2019-05-29 20:33:01 | Polymorphic Warnings On My Mind (lien direct) | There’s a fascinating paper, “Tuning Out Security Warnings: A Longitudinal Examination Of Habituation Through Fmri, Eye Tracking, And Field Experiments.” (It came out about a year ago.) The researchers examined what happens in people’s brains when they look at warnings, and they found that: Research in the fields of information systems and human-computer interaction has…Continue reading → | |||
|
2019-05-13 17:03:05 | Promoting Threat Modeling Work (lien direct) | Quick: are all the flowers the same species? People regularly ask me to promote their threat modeling work, and I’m often happy to do so, even when I have questions about it. There are a few things I look at before I do, and I want to share some of those because I want to…Continue reading → | Threat | ★★ | |
|
2019-05-07 16:20:02 | Testing Building Blocks (lien direct) | There are a couple of new, short (4-page), interesting papers from a team at KU Leuven including: Knowledge is Power: Systematic Reuse of Privacy Knowledge for Threat Elicitation A Comparison of System Description Models for Data Protection by Design What makes these interesting is that they are digging into better-formed building blocks of threat modeling,…Continue reading → | Threat | ★★★★ | |
|
2019-05-04 17:34:03 | Episode 9 Spoilers (lien direct) | Today is the last Star Wars Day before Episode 9 comes out, and brings the Skywalker saga to its end. Film critics have long talked about how Star Wars is about Luke’s Hero’s Journey, or the core trilogy is about his relationship to his father, but they’re wrong. Also, I regularly say that Star Wars…Continue reading → | |||
|
2019-04-30 15:01:04 | Workshop on Serious Games for Cyber Security (lien direct) | Heriot-Watt University in Scotland is hosting a “Workshop on Serious Games for Cyber Security,” May 21-22. | |||
|
2019-04-24 21:41:00 | 3 Arguments for Threat Modeling (lien direct) | There’s a great post from my friends at Continuum, “Three Killer Arguments for Adopting Threat Modeling. Their arguments are “Threat Modeling Produces Measurable Security,” “Threat Modeling Done Right Encourages Compliance,” and “Threat Modeling Saves You Money.” (Actually, they have 6.) | Threat | ||
|
2019-04-10 14:48:05 | The White Box Essays (Book Review) (lien direct) | The White Box, and its accompanying book, “The White Box Essays” are a FANTASTIC resource, and I wish I’d had them available to me as I designed Elevation of Privilege and helped with Control-Alt-Hack. The book is for people who want to make games, and it does a lovely job of teaching you how, including…Continue reading → | |||
|
2019-04-09 16:59:02 | Science of Security, Science for Security (lien direct) | There’s an interesting article in Bentham’s Gaze, “Science ‘of’ or ‘for’ security?” It usefully teases apart some concepts, and, yes, it probably is consistent with the New School. | |||
|
2019-04-08 17:14:04 | \'No need\' to tell the public(?!?) (lien direct) | When Andrew and I wrote The New School, and talked about the need to learn from other professions, we didn’t mean for doctors to learn from ‘cybersecurity thought leaders’ about hiding their problems: …Only one organism grew back. C. auris. It was spreading, but word of it was not. The hospital, a specialty lung and…Continue reading → | Guideline | ||
|
2019-04-06 19:36:02 | Hayabusa! (lien direct) | Congratulations to the Hayabusa2 mission team, who flew to an asteroid, dropped multiple rovers, an impactor and a separate camera satellite to observe the impactor. The Hayabusa2 then flew around, to the far side of the asteroid to avoid ejecta from the impactor. In a few weeks, Hayabusa2 will probably land, collect more samples and…Continue reading → | |||
|
2019-04-05 17:56:03 | Books Worth Your Time (Q1 2019) (lien direct) | Cyber Making Software “What Really Works, and Why We Believe It” by Andy Oram and Greg Wilson. This collection of essays is a fascinating view into the state of the art in empirical analysis software engineering. Agile Application Security by Laura Bell, Michael Brunton-Spall, Rich Smith and Jim Bird. A really good overview of the…Continue reading → | |||
|
2019-04-02 16:02:00 | Leave Those Numbers for April 1st (lien direct) | “90% of attacks start with phishing!*” “Cyber attacks will cost the world 6 trillion by 2020!” We’ve all seen these sorts of numbers from vendors, and in a sense they’re April Fools day numbers: you’d have to be a fool to believe them. But vendors quote insane because there’s no downside and much upside. We…Continue reading → | |||
|
2019-04-01 16:31:03 | 20 Years of STRIDE: Looking Back, Looking Forward (lien direct) | “Today, let me contrast two 20-year-old papers on threat modeling. My first paper on this topic, “Breaking Up Is Hard to Do,” written with Bruce Schneier, analyzed smart-card security. We talked about categories of threats, threat actors, assets - all the usual stuff for a paper of that era. We took the stance that “we…Continue reading → | Threat | ||
|
2019-03-22 21:04:03 | Cybersecurity is not very important (lien direct) | “Cybersecurity is not very important” is a new paper by the very smart Andrew Odlyzko. I do not agree with everything he says, but it’s worth reading and pondering if and why you disagree with it. I think I agree with it more than I disagree. | |||
|
2019-03-19 16:25:03 | Threat Modeling in 2019 (lien direct) | RSA has posted a video of my talk, “Threat Modeling in 2019” | Threat | ||
|
2019-03-18 16:09:05 | India\'s Intermediary Guidelines (lien direct) | I’ve signed on to Access Now’s letter to the Indian Ministry of Electronics and Information Technology, asking the Government of India to withdraw the draft amendments proposed to the Information Technology (Intermediary Guidelines) Rules. As they say in their press release: Today's letter, signed by an international coalition of 31 organizations and individuals, explains how…Continue reading → | |||
|
2019-03-14 14:28:02 | Happy Pi Day! (lien direct) | There’s only a few times to use a pie chart, but to help you celebrate, there’s how to keep track of your intake: | |||
|
2019-03-13 18:24:05 | A Seat At The Table (AppSecCali) (lien direct) | The fine folks at AppSecCali have posted videos, including my talks, A Seat At The Table, and Game On! Adding Privacy to Threat Modeling – Adam Shostack & Mark Vinkovits | Threat | ||
|
2019-03-11 21:37:01 | Facebook\'s Privacy Constitution (lien direct) | Bruce Schneier and I wrote an article on Facebook’s privacy changes: “A New Privacy Constitution for Facebook.” | |||
|
2019-02-28 19:08:02 | Spoofing in Depth (lien direct) | I’m quite happy to say that my next Linkedin Learning course has launched! This one is all about spoofing. It’s titled “Threat Modeling: Spoofing in Depth.” It’s free until at least a week after RSA. Also, I’m exploring the idea that security professionals lack a shared body of knowledge about attacks, and that an entertaining…Continue reading → | |||
|
2019-02-28 18:59:03 | Adam @ RSA (lien direct) | At RSA, I’ll be speaking 3 times at the conference, and once at a private event for Continuum: “2028 Future State: Long Live the Firewall?” with Jennifer Minella, Harry Sverdlove and Marcus Ranum. March 5 | 1:00 PM – 1:50 PM | Moscone West 3001 Threat modeling brunch with IriusRisk March 6 | 10 –…Continue reading → | Threat | ||
|
2019-02-24 19:40:05 | What Should Training Cover? (lien direct) | Chris Eng said “Someone should set up a GoFundMe to send whoever wrote the hit piece on password managers to a threat modeling class.” And while it’s pretty amusing, you know, I teach threat modeling classes. I spend a lot of time crafting explicit learning goals, considering and refining instructional methods, and so when a…Continue reading → | Threat | ||
|
2019-02-20 18:57:03 | A Cybersecurity Moon Shot (lien direct) | “Making the Case for a Cybersecurity Moon Shot” is my latest, over at Dark Reading. “There’s been a lot of talk lately of a cybersecurity moon shot. Unfortunately, the model seems to be the war on cancer, not the Apollo program. Both are worthwhile, but they are meaningfully different.” | |||
|
2019-02-16 22:54:00 | Dolphins and Pufferfish (lien direct) | Apparently, “Dolphins Seem to Use Toxic Pufferfish to Get High.” Of course, pufferfish toxins are also part of why the fish is a delicacy in Japan. It just goes to show that nature finds its own, chaotic, uses for things. | |||
|
2019-02-14 18:47:00 | 55 5 ⭐ Reviews? (lien direct) | I’m getting ready for the 5-year anniversary of my book, “Threat Modeling: Designing for Security.” As part of that, I would love to see the book have more than 55 5 ⭐ reviews on Amazon. If you found the book valuable, I would appreciate it if you could take a few minutes to write a…Continue reading → | |||
|
2019-02-13 16:31:03 | Podcast: DevSecOps (lien direct) | I did a podcast with Mark Miller over at DevSecOps days. It was a fun conversation, and you can have a listen at “Anticipating Failure through Threat Modeling w/ Adam Shostack.” | Threat | ||
|
2019-02-10 00:31:02 | The Queen of the Skies and Innovation (lien direct) | The Seattle Times has a story today about how “50 years ago today, the first 747 took off and changed aviation.” It’s true. The 747 was a marvel of engineering and luxury. The book by Joe Sutter is a great story of engineering leadership. For an upcoming flight, I paid extra to reserve an upper…Continue reading → | Guideline | ||
|
2019-02-06 23:36:00 | Nature and Nurture in Threat Modeling (lien direct) | Josh Corman opened a bit of a can of worms a day or two ago, asking on Twitter: “pls RT: who are the 3-5 best, most natural Threat Modeling minds? Esp for NonSecurity people. @adamshostack is a given.” (Thanks!) What I normally say to this is I don’t think I’m naturally good at finding replay…Continue reading → | Threat | ||
|
2019-02-04 18:20:00 | “Fire Doesn\'t Innovate” by Kip Boyle (Book Review) (lien direct) | I hate reviewing books by people I know, because I am a picky reader, and if you can’t say anything nice, don’t say anything at all. I also tend to hate management books, because they often substitute jargon for crisp thinking. So I am surprised, but, here I am, writing a review of Kip Boyle’s…Continue reading → |
To see everything:
Our RSS (filtrered)
