What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-09-02 23:38:04 | Turning off the lights? (lien direct) | Soon, soon we’ll turn off the lights, migrate these posts, and have everything at our shiny new blog at https://shostack.org/blog. And if you’re seeing this in an RSS feed, please update to https://shostack.org/feed.xml. And by the way, you’ll know you’re in the right place when you see new content about threat modeling and the JoHari… | Threat | ||
|
2021-08-23 23:24:42 | Blog updates (lien direct) | I’m in the process of replacing this site, threatmodelingbook.com, and the associates.shostack.org site with a new, unified https://shostack.org. I’ll be saying more about the redesign, but as part of it, I’m migrating the blog over there. There are a few new posts there that I forgot to mirror here, including: Threat Modeling Through the JoHari… | Threat | ||
|
2021-07-15 18:21:37 | Threat Model Thursday: NIST\'s Code Verification Standard (lien direct) | Earlier this week, NIST released a Recommended Minimum Standard for Vendor or Developer Verification of Code. I want to talk about the technical standard overall, the threat modeling component, and the what the standard means now and in the future. To summarize: new requirements are coming to a project near you, and getting ready now… | Threat | ||
|
2021-07-13 15:14:36 | Collaboration in Threat Modeling (lien direct) | It’s the latest in the World’s Shortest Threat Modeling videos! Also, I set up https://bit.ly/adam-yt to make it easy to find my Youtube channel. | Threat | ||
|
2021-07-07 15:32:06 | Sketching to Answer “What Are We Working On?” (lien direct) | The latest in the World’s Shortest Threat Modeling Videos: | Threat | ||
|
2021-07-01 21:43:24 | Threat Model Thursday: 5G Infrastructure (lien direct) | The US Government’s lead cybersecurity agencies (CISA, NSA, and ODNI) have released an interesting report, Potential Threat Vectors To 5G Infrastructure. (Press release), and I wanted to use this for a Threat Model Thursday, where we take a respectful look at threat modeling work products to see what we can learn. The first thing I… | Threat Guideline | ★★★ | |
|
2021-06-28 16:49:16 | Applied Threat Modeling at Blackhat 2021! (lien direct) | At Blackhat USA, I’ll be teaching Applied Threat Modeling. This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start threat modeling early on the first day and then going deep into each of the four questions: what are we working on, what can go wrong,… | Threat | ||
|
2021-06-23 15:26:23 | Why Threat Model? (lien direct) | The second video in my 60 second series! | Threat | ||
|
2021-06-19 15:28:50 | Juneteenth: A New Federal Holiday (lien direct) | I’m thrilled that Juneteenth will be a Federal holiday. We need more holidays that celebrate freedom, and there’s few events that increase freedom as much as emancipating people who were enslaved. That is, freeing them from the threat violence would be used against them, and they would have no recourse. The United States also needs… | Threat | ||
|
2021-06-17 15:53:51 | Fast threat modeling videos (lien direct) | I’m exploring the concept of very fast threat modeling videos, and have posted the first one. Feedback welcome! | Threat | ||
|
2021-06-15 16:12:47 | “Not in my threat model”? (lien direct) | You know what’s not in my threat model? A meteor hitting a volcano…And that’s ok! Your threat modeling should be focused on the threats that are likely to impact your systems. So unless your system is your evil supervillain volcano lair, a meteor is likely out of scope. And unless you have giant space lasers,… | Threat | ||
|
2021-05-20 20:47:56 | Using Threat Modeling to Improve Compliance (TM Thursday) (lien direct) | Threat model Thursday is not just back, but live again! This week is my Using Threat Modeling to Improve Compliance at RSAC 2021. The video replay is available if you have an RSA pass, and the slides are available to all. | Threat | ||
|
2021-04-29 23:51:50 | Threat Model Thursday: Technology Consumers (lien direct) | There’s an interesting paper, 'It depends on your threat model': the anticipatory dimensions of resistance to data-driven surveillance. The author critiques ‘anticipatory data practices’, a collection of techniques that include my own work, as presented to civil society activists. It opens “While many forms of data-driven surveillance are now a 'fact' of contemporary life amidst… | Threat | ||
|
2021-04-22 17:34:48 | IoT Security & Threat Modeling (lien direct) | There’s a new report out from the UK Government, The UK Code of Practice for Consumer IoT Security. One of the elements I want to draw attention to is: The use of IoT devices by perpetrators of domestic abuse is a pressing and deeply concerning problem that is largely hidden from view. Collecting data (and… | Threat | ||
|
2021-04-16 00:01:21 | Thursday Threat Model: Github\'s Approach (lien direct) | A bunch of people recently asked me about Robert Reichel’s post “How We Threat Model,” and I wanted to use it to pick up on Threat Model Thursdays, where I talk about process and practices. My goal is always to build, and sometimes that involves criticism. So let me start by saying I like the… | Threat | ★★★ | |
|
2021-04-13 17:14:43 | Can Training Work Remotely? (lien direct) | I get this question a lot: Can distributed/remote training work as well as in person? Especially for threat modeling, where there’s a strong expectation that training involves whiteboards. (I remember one course in particular, about 15 minutes in, the buyer said: “Let’s get to the whiteboards already!”) And there’s no doubt: people learn by doing.… | Threat | ||
|
2021-03-30 20:00:08 | Threat Modeling Classes (lien direct) | I have been lucky through these unprecendented and challenging times, and I’m grateful to have avoided many of the awful problems that others have faced. In my own little way, I spent a lot of time worried that delivering threat modeling training was only possible with us in the same room together. Through the pandemic,… | Threat | ||
|
2021-02-23 22:31:42 | Linkedin Learning (lien direct) | I am very excited to announce that Linkedin Learning has released “Threat Modeling: Denial of Service and Elevation of Privilege.” This is the sixth course I’ve done with them, and completes a cycle which starts with “Learning Threat Modeling for Security Professionals,” and then steps through each of the STRIDE threats in depth. (We combined… | Threat | ||
|
2021-02-15 16:43:52 | “Better OKRs Through Threat Modeling” (lien direct) | Abhay Bhargav has a really excellent post on Better OKRs for Security through Effective Threat Modeling. I really like how he doesn’t complain about the communication issues between security and management, but offers up a concrete suggestion for improvement. Key quote: “Effective Threat Modeling by itself can ensure that your OKRs and AppSec Program are… | Threat | ||
|
2021-01-28 20:07:08 | Threat Modeling and Social Issues (lien direct) | For Data Breach Today, I spoke with Anna Delaney about threat modeling for issues that are in the news right now: “Does your organization have a plan in place if one of your employees is accused via Twitter of being an insurrectionist? If your software was being used to spread plans for a riot, could… | Data Breach Threat | ||
|
2021-01-10 22:21:45 | Humble Bundle: Good, Cheap Books (lien direct) | There’s a humble bundle out that includes my Threat Modeling: Designing for Security, The Shellcoders Handbook, Practical Reverse Engineering, The Art of Intrusion, Social Engineering, Crypto Engineering, a nearly complete set of Bruce Schneier, and more! And your donations benefit EFF! The deal is good through Monday morning at 11 Pacific. https://www.humblebundle.com/books/cybersecurity-cryptography-wiley-books | Threat | ||
|
2020-12-16 19:47:38 | The Asset Trap (lien direct) | As we look at what’s happened with the Russian attack on the US government and others via Solarwinds, I want to shine a spotlight on a lesson we can apply to threat modeling. An example of asset-driven thinking leads the article Hack may have exposed deep US secrets; damage yet unknown. And I don’t want… | Hack Threat Guideline | ||
|
2020-12-15 16:49:58 | Elevation of Privilege In a Time of Cholera, Redux (lien direct) | I had not seen Threat modelling at the FT. In in Lisa Fiander and Costas K share their experiences with Elevation of Privilege played remotely. It’s a pleasant surprise to see how well EoP works in this remote world. I’d written about and then done a session with Agile Stationery; seeing independent reports is great! | Threat | ||
|
2020-11-25 15:52:52 | It\'s Not Working! (lien direct) | As we launched the threat modeling manifesto, we ran into some trouble with TLS. Some of you even reported those troubles, by saying “it’s not working.” Thanks. That’s so helpful. Sarcasm aside, there’s a basic form to a helpful bug report: “I did A, and observed B.” If you want to make it really useful,… | Threat | ||
|
2020-11-17 17:28:45 | A Threat Modeling Manifesto (lien direct) | There’s a threat modeling manifesto being released today by a diverse set of experts and advocates for threat modeling. We consciously modeled it after the agile manifesto and it’s focused on values and principles. Also, there’s a podcast that gives you a chance to listen, behind-the-scenes at The Threat Modeling Manifesto – Part 1. | Threat | ||
|
2020-10-07 17:17:24 | Training: Threat Modeling for Security Champions (lien direct) | I haven’t talked about it much, but I spent the first few months of the pandemic learning how to deliver effective training in a distributed (online) model. I’m really proud that our distributed class NPS customer satisfaction scores are now comparable to our in-person classes. Also it’s been a lot of hard work, and in… | Threat | ||
|
2020-09-24 22:48:42 | A PCI Threat Model (lien direct) | The reason I hate compliance programs is because they’re lists of things we need to do, and many times, those things don’t seem to make a great deal of sense. In threat modeling, I talk about the interplay between threats, controls, and requirements, and I joke that “a requirement to have a control absent any… | Threat | ||
|
2020-09-23 14:10:06 | Mentions (lien direct) | I joined Vin Nelsen for the Multi-Hazards podcast. If you’re looking for me to go beyond the bounds of technology threat modeling, this was, an interesting, far-ranging conversation about the state of the world. He also creates a study guide per episode - don’t miss the subtly labeled pdf there. I didn’t join in Security… | Threat | ||
|
2020-09-17 18:52:35 | Starting Threat Modeling: Focused Retrospectives are Key (lien direct) | There’s a good, long article at MartinFowler.com “A Guide to Threat Modelling for Developers.” It’s solid work and I’m glad its out there. And I want to do something I don’t usually do, which is quibble with footnotes. Jim writes in footnote 2: Adam Shostack, who has written extensively on threat modelling and has provided… | Threat | ||
|
2020-09-10 21:21:07 | Threat Modeling, Insiders and Incentives (lien direct) | There’s been a lot of talk over the last week about “updating threat models” in light of the Tesla insider story. (For example.) I’m getting this question a fair bit, and so wanted to talk about insiders in particular, and how to use the news in threat modeling more generally. This also is a great… | Threat | ||
|
2020-08-18 16:47:12 | Better Taught Than Caught! (lien direct) | So Chris Romeo has a blog post, “Threat modeling: better caught than taught.” In it, he advocates for threat modeling being a skill passed on informally. And, like many things in threat modeling, that’s attractive, sounds fun, and is utterly wrong. Let’s threat model this: What are we working on? Scaling threat modeling across all… | Threat | ||
|
2020-08-13 17:24:00 | MDIC Annual Public Forum (lien direct) | I’ll be speaking at the MDIC’s Annual Public Forum today, discussing how threat modeling helps bring maturity to the medtech sector. Join us shortly! | Threat | ||
|
2020-08-12 14:55:52 | When to Threat Model (lien direct) | At Defcon’s biohacking village, there was an interesting talk on Includes No Dirt threat modeling. I thought this slide was particularly interesting. As threat modeling moves from an idea through pilots and deployments, and we develop the organizational disciplines of threat modeling, the question of ‘when do we do this’ comes up. There’s good appsec… | Threat | ||
|
2020-07-15 00:58:37 | Software Engineering Radio (lien direct) | I enjoyed being a guest on Software Engineering Radio: Adam Shostack on Threat Modeling. It’s a substantial, in depth interview, running nearly 80 minutes, and covering a wide variety of topics. | Threat | ||
|
2020-07-02 15:52:46 | Threat Model In My Devops (lien direct) | This talk by Alyssa Miller is fascinating and thought provoking. She frames a focus on integrating threat modeling into devops. The question of ‘what are we working on’ is answered with use cases, and threat modeling for that sprint is scoped to the use cases. ‘What can go wrong’ is focused on a business analysis… | Threat | ||
|
2020-06-30 15:11:02 | Threat Modeling & the SAFE Framework (lien direct) | There’s an interesting and detailed blog post from Antti Vähä-Sipilä and Heli Syväoja at the F-Secure blog, Using SAFe® to align cyber security and executive goals in an agile setting. What I find most useful is the detailed and specific elements of how to bring threat modeling into the Scaled Agile Framework, in particular: Security… | Threat | ||
|
2020-06-16 13:38:18 | The Jenga View of Threat Modeling (lien direct) | I’m happy to announce Shostack & Associate’s new, first, corporate white paper!It uses Jenga to explain why threat modeling efforts fail so often. I’m excited for a lot of reasons. I care about learning from failure. I love games as teaching tools. But really, I’m excited because the paper has helped the people who read… | Threat | ||
|
2020-06-14 18:57:14 | Threat Research: More Like This (lien direct) | I want to call out some impressive aspects of a report by Proofpoint: TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware. There are many praise-worthy aspects of this report, starting from the amazing lack of hyperbole, and the focus on facts, rather than opinions. The extraordinary lack of adjectives… | Threat | ||
|
2020-06-09 16:15:37 | Contextualisation of Data Flow Diagrams… (lien direct) | Contextualisation of Data Flow Diagrams for security analysis is a new paper to which I contributed: “Abstract: Data flow diagrams (DFDs) are popular for sketching systems for subsequent threat modelling. Their limited semantics make reasoning about them difficult, but enriching them endangers their simplicity and subsequent ease of take up. We present an approach for… | Threat | ||
|
2020-05-14 19:29:40 | Models and Accuracy (Threat Modeling Thursday) (lien direct) | For Threat Model Thursday, I want to look at models and modeling in a tremendously high-stakes space: COVID models. There are a lot of them. They disagree. Their accuracy is subject to a wide variety of interventions. (For example, few disease models forecast a politicized response to the disease, or a massively inconsistent response within… | Threat | ||
|
2020-04-23 16:45:26 | Threat Model Thursday: Data Flow Diagrams (lien direct) | This week’s threat model Thursday looks at an academic paper, Security Threat Modeling: Are Data Flow Diagrams Enough? by Laurens Sion and colleagues. The short (4 page), readable paper looks at the strengths and weaknesses of forms of DFDs, and what we might achieve with variations on the form and different investments of effort. I… | Threat | ||
|
2020-04-02 20:58:13 | Power Dynamics in Threat Modeling (lien direct) | On Linkedin, Peter Dowdall had a very important response to my post on remote threat modeling. Because comments on Linkedin are a transient resource, I’m going to quote heavily: The team here ran a session with people in the same room using Miro (maybe 1 remote) and we found it stripped the barriers of either… | Threat | ||
|
2020-03-30 15:40:37 | Answering “What Are We Working On” When Remote (lien direct) | Practicing physical distancing has already dramatically changed how we work, and will continue to do so. Being physically distant means we can’t use a whiteboard to help us talk through “what are we working on?” There are technical facets of threat modeling, like using visual models to show and scope “what are we working on?”… | Threat | ||
|
2020-03-26 16:37:24 | Medical Device Threat Modeling (lien direct) | Threat modeling figures heavily in the FDA’s thinking. It’s been part of the first cybersecurity pre-market guidance, it was a big part of the workshop on ‘content of premarket submissions,’ etc. There have been lots of questions about how to make that happen. I’ve been working with the FDA and the MDIC, and we have… | Threat | ||
|
2020-03-23 18:14:16 | The COVID Pandemic (lien direct) | I know many readers are here for the threat modeling, and I could claim that this is the “what are we going to do about it” post, which it is, but I don’t want to have to blog all threat modeling all the time. So this is the “Seattle is a month into COVID-19” post.… | Threat | ||
|
2020-03-19 17:56:01 | Threat Modeling with Questionnaires (lien direct) | This post comes from a conversation I had on Linkedin with Clint Gibler. He wrote: One challenge I’ve heard from a number of companies is that, with say 3-5 AppSec engineers supporting 500 – 1000 devs, you can’t TM every story, or even every epic. So what do you focus on? The high risk /… | Threat | ||
|
2020-03-17 16:15:46 | Free Threat Modeling Training (lien direct) | The current situation is scary and anxiety-provoking, and I can’t do much to fix that. One thing I can do is give people a chance to learn, and so I’m making my Linkedin Learning classes free this week. (I’m told that each class is free for the day, so you’ll need to watch each within… | Threat | ||
|
2020-03-05 16:36:17 | Amazon\'s “Alexa Built-in” Threat Model (lien direct) | Amazon has released a set of documents, “Updates to Device Security Requirements for Alexa Built-in Products.” I want to look at these as a specific way to express a threat model, which is threat modeling along the supply chain, talk about the proliferation of this different kind of model, and what it means for engineering.… | Threat | ||
|
2020-03-02 17:01:27 | Threat Modeling Training at Blackhat 2020 (lien direct) | At Blackhat this summer, I’ll be offering threat modeling training at Blackhat. Last year, these sold out quickly, so don’t wait! This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start threat modeling early on day 1, followed by an understanding of traps that they… | Threat | ||
|
2020-02-27 16:15:18 | Threat Model Thursday: BIML Machine Learning Risk Framework (lien direct) | The Berryville Institute of Machine Learning (BIML) has released “An Architectural Risk Analysis of Machine Learning Systems.” This is an important step in the journey to systematic, structured, and comprehensive security analysis of machine learning systems, and we can contrast it with the work at Microsoft I blogged about last month. As always, my goal… | Threat |
To see everything:
Our RSS (filtrered)
