Adam Shostack

APRIL 10, 2025

What's wrong with this process? Appsec leaders come to me all the time, looking for feedback on their threat modeling approach. When we do it for a customer, the request and response are private, and when they're not, sometimes they end up in the blog. A recent request exemplified a couple of the problems that we see over and over: The system model provides a framework for identifying and analyzing potential threats by thoroughly describing the assets, attributes, and their interactions with

Software 130

Software 130

Adam Shostack

APRIL 5, 2025

Troy Hunt has a good post about being phished. Good on Troy for being transparent, and he talks about being tired and jet lagged, and that deserves sympathy. Attackers are sneaky. Troy honorably admits that he overrode 1Password and filled out the phishing site. In this post, I want to share why I think I wouldnt fall for this, even jet lagged. That defense is intensive sorting into folders, enabled by custom email addresses.

Phishing 130

Phishing Banking Internet Internet 130

Adam Shostack

APRIL 2, 2025

Big news for LLMs in threat modeling! Threat Modeling Matthew Adams introduced TM-Bench The World's First LLM Threat Modeling Benchmark. Im glad to see this, testing and evaluation is important. Tony Lee has released DeepTM , a tool for chaining threat models. (Tony was nice enough to help me find the core code for the agents.) As a general comment on these systems, LLMs are tremendously reactive to very small wording changes.

147

147

Adam Shostack

MARCH 26, 2025

Grateful to introduce the Hackers' Almanack! I wrote the introduction for The DEF CON 32 Hackers Almanack ! Every year, thousands of hackers converge in Las Vegas for a joyous, crazy exploration of the edges of technology otherwise fondly called Hacker Summer Camp. They include many communities with different perspectives, all with a core commitment to hacking and exploration.

Data breaches 130

Data breaches Passwords Technology Hacking 130

Adam Shostack

MARCH 20, 2025

A group of us have urged HHS to require better handling of security reports A group of us have urged HHS to require that health care providers to act on (and facilitate reporting of) security issues by good faith cybersecurity researchers. The core of what we recommend is that HHS should require cooperation with Good Faith researchers. All regulated entities should be required to enable people to report security issues in a way thats easy to discover and aligned with standards.

Software 130

Software Cybersecurity 130

Adam Shostack

MARCH 14, 2025

Register for OWASP training in Barcelona! If youre based in the EU and have been waiting to participate in Adam Shostacks Threat Modeling training, the wait is over Shostack + Associates will be delivering training at OWASP Global AppSec in Barcelona! This in-person training will be taking place live from May 27-28, 2025. The conference will be held from May 29-30, 2025.

130

130

Adam Shostack

FEBRUARY 20, 2025

Adam was on the Medical Device Cybersecurity podcast Im excited to share that I recently spoke with the Cyber Doctor on the Medical Device Cybersecurity podcast! Whether youre an engineer, security professional, or product leader, this discussion may help you refine your approach to building secure systems efficiently. In the episode, we tackled three key qualities of threat modeling: how to make application design actionable, scalable, and practical.

Cybersecurity 130

Cybersecurity Engineering 130

Adam Shostack

FEBRUARY 18, 2025

Adam was on the CyberTuesday podcast I recently had the pleasure of joining Simon Whittaker on the CyberTuesday podcast for a wide-ranging discussion about threat modeling and organizational culture. I wanted to share some key themes we explored. One of the core messages I emphasized is how we can make threat modeling more accessible. If youve read my recent blog post on Hoarding, Debt and Threat Modeling , youll hear me reiterate how people often try to model everything at once and get overwhel

130

130

Adam Shostack

FEBRUARY 14, 2025

BlackHat invites human factors work Blackhat 2024 will be August 6-7 in Las Vegas, The call for papers is open, and will close on April 2. (Please check all dates in the official CFP.) As a member of the BlackHat Review Board, Im responsible for the Human Factors track. Over the last decade, weve developed a good track with a wide variety of content.

Technology 130

Technology Engineering 130

Adam Shostack

FEBRUARY 12, 2025

An exciting new sample TM from MITRE For Threat Model Thursday, I want to provide some comments on NIST CSWP 35 ipd, Cybersecurity Threat Modeling the Genomic Data Sequencing Workflow (Initial Public Draft). As always, my goal is to offer helpful feedback. This is a big, complex document. Its 50 pages of real content with 13 listed authors, and is a subset of a larger project.

Risk 147

Risk Manufacturing Encryption Surveillance 147

Adam Shostack

JANUARY 30, 2025

The psychology of getting started threat modeling During a recent threat modeling course, one of our students, Aleksei*, made a striking comparison that resonated with a lot of us: starting security analysis is like tackling a hoarders house. That visceral image of looking at mountains of accumulated issues, feeling overwhelmed by where to begin, captures a challenge many engineering leaders face when they first attempt to systematically assess their systems security.

Architecture 147

Architecture Engineering Software 147

Adam Shostack

JANUARY 28, 2025

Our comments on the National Cyber Incident Plan Josiah Dykstra and I have some comments on the National Cyber Incident Response Plan updates. Building on our recent paper about pandemic-scale cyber events , we submitted 14 recommendations to further improve the plan. We share the desire for proactive plans that adequately prepare the Nation for cyber incidents.

Government 147

Government 147

Adam Shostack

JANUARY 27, 2025

Do diagrams leverage the brain in a different way? Creating, refining, communicating, and working with models are all important parts of how I think about answering what are we working on? People often want to eliminate the diagramming or modeling step as not required, and thats a mistake. The act of engaging with the higher order question of what are we building working on is important, and diagramming acts as a forcing function.

Engineering 147

Engineering 147

Adam Shostack

JANUARY 16, 2025

An important step towards cyber public health Every four years, the Computing Research Association publishes a set of Quadrenial papers that explore areas and issues around computing research with potential to address national priorities. The white papers attempt to portray a comprehensive picture of the computing research field detailing potential research directions, challenges, and recommendations.

Cybersecurity 147

Cybersecurity Government 147

Adam Shostack

JANUARY 2, 2025

My talk at JPL Before Thanksgiving, I was in Southern California, and I was honored to be able to give a talk at the Jet Propulsion Lab. The talk is titled Threat Modeling: Engineering and Science. The first part of the talk puts threat modeling in context for engineering secure systems, while the second part considers why we do what we do and asks some questions about how we think about risk.

Risk 130

Risk Insurance Engineering Marketing 130

Adam Shostack

JANUARY 2, 2025

If you say liability three times, it appears! Secure by Design, threat modeling and appsec Loren Kohnfelder wrote a longish, excellent post Flaunt your threat models. Weve been talking about this, and I think flaunting models at the level of the one released by Curl make so much sense its hard to see why its not standard. Google has released information on their Secure by Design commitment, including a blog and white paper.

Manufacturing 130

Manufacturing Data breaches Software Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

Some thoughts on 25 years of the CVE program I saw the headline CVE Program Celebrates 25 Years of Impact! and want to congratulate everyone involved. The 25th anniversary report was a nostalgic walk down memory lane for me. I remember sitting a row or two behind Dave Mann and Steve Christey Coley at the workshop on vulnerability databases, and wondering who the heck MITRE was and why they cared?

130

130

Adam Shostack

JANUARY 2, 2025

Threat model Thursday, let's dive deep into a detailed approach to using ATT&CK For Threat Model Thursday, lets look at Threat Modeling with ATT&CK from the Center for Threat Informed Defense at MITRE. As always with Threat Model Thursday, my goal is to respectfully engage with interesting work and ask what we can learn from it. This one is particularly interesting because Ive been teaching threat modeling with kill chains, including ATT&CK, for many years.

Risk 130

Risk Government 130

Adam Shostack

JANUARY 2, 2025

Time to vote for OWASP leadership The OWASP 2024 board elections are open. OWASP has outsize influence over application security. Its a go-to authoritative source, many of its projects are recognized in international standards, and more. And the election videos have fewer than 100 views each. As an OWASP member and supporter (even though Im sometimes critical), I encourage anyone who reads this blog to join and get involved in making the organization better.

Education 130

Education 130

Adam Shostack

JANUARY 2, 2025

Threatmodcon was amazing Its amazing how much progress were making at threat modeling. Theres enough interest — and research — to support multiple, full day, multi-track conferences per year. The team behind the conference has put together a roundup , and Im looking forward to reading the slides for the talks that I missed.

130

130

Adam Shostack

JANUARY 2, 2025

Slides from Adam's talk at the Symposium Last week, I participated in a fascinating Symposium on Health Secotr Security and Resilience. The event was held under the Chatham House Rule, and Im going to honor that. And I wanted to share my slides , because I want to continue the conversation about how a public health model can help the sector.

130

130

Adam Shostack

JANUARY 2, 2025

A new paper on 'Pandemic Scale Cyber Events Josiah Dykstra and I have a new pre-print at Arxiv, Handling Pandemic-Scale Cyber Threats: Lessons from COVID-19. The abstract is: The devastating health, societal, and economic impacts of the COVID-19 pandemic illuminate potential dangers of unpreparedness for catastrophic pandemic-scale cyber events.

Cyber threats 130

Cyber threats Government Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

Podcast episode with Venkat Ramakrishnan discussing the intersection of GenAI and threat modeling Earlier this year, Adam had the opportunity to speak with Venkat Ramakrishnan on his show Software Testing and Quality Talks". In this episode, Adam and Venkat discuss the ever hot topic of GenAI. Whether you work in quality assurance or app sec, this episode may still be relevant to you.

Software 130

Software Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

Adam's presentation to a National Academies Panel Last week, I presented to the National Academies study on hard problems for cyber resilliency. The final stream is here , and I come in around minute 57. My final deck: Cyber Public Health and Cyber Hard Problems.

130

130

Adam Shostack

JANUARY 2, 2025

Google calls attention to our Cyber Public Health work Last week, Bill Reid and Taylor Lehmann, both in the Office of the CISO at Google Cloud, wrote a blog post, Cyber Public Health: A new approach to cybersecurity. The post makes the case that the approach is important, and ties it to the recent work about Cyber-Physical Resilience by the Presidents Council of Advisors on Science and Technology.

CISO 130

CISO Technology Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

Adam will be presenting to a National Academies Panel At 1 Eastern Ill be presenting to the National Academies study on hard problems for cyber resilliency. Therell be a stream at here. My final deck: Cyber Public Health and Cyber Hard Problems.

130

130

Adam Shostack

JANUARY 2, 2025

The most important stories around threat modeling, appsec and secure by design for June, 2024. Threat Modeling The City of London police report that a homemade mobile antenna was used to send thousands of smishing messages Ive been skeptical of phone system security, but this is both important if youre trusting the phone system, as an example of an evolving threat, and really funny.

Scams 130

Scams Mobile Engineering Software 130

Adam Shostack

JANUARY 2, 2025

Why is it hard to count lockbit infections? I was surprised to see the headline FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out. I didn't think there were that many victims. Some somewhat lazy searching reveals: CISA (with other agencies) said 1,700 in Understanding Lockbit (June, 2023) Department of Justice said more than 2,500 victims in U.S.

Ransomware 130

Ransomware Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

How to effectively threat model authentication. Recently, I wrote about threat modeling and logins , and I want to expand on that post to talk about methodologies. Before I do, I want to say the crucial step is consider What can go wrong? before implementing a defense, so that each defense is defending against a specific threat. (That implies that you need to go from consideration to keeping a list, and making sure that the list is specific and clear.

Authentication 130

Authentication Mobile 130

Adam Shostack

JANUARY 2, 2025

Authentication is more frustrating to your customers when you dont threat model. Recently, I was opening a new bank account. The bank unexpectedly sent me a temporary password to sign up, and when I did, the temporary password had expired. So it sent me another, this time warning me it was only going to last ten minutes. But then, after I went to reset the password, the bank emailed me a one time code.

Banking 130

Banking Passwords Password Management Authentication 130

Adam Shostack

JANUARY 2, 2025

A less busy month in appsec, AI, and regulation, but still interesting stories Im going to kick off with two interesting engineering stories. First, the Washington Post reports on how Officials studied Baltimore bridge risks but didnt prepare for ship strike that discusses the challenges of securing bridges against modern cargo ships. It turns out that additional barriers were a known tradeoff.

Engineering 130

Engineering Software Cybersecurity Risk 130

Adam Shostack

JANUARY 2, 2025

Adam on Enterprise Security Weekly podcast Adam is excited to share that he was live with Adrian Sanabria of the Enterprise Security Weekly podcast! In this episode, Adam and Adrian talk all things threat modeling. From foundational material to inherent threats, they discuss a wide range of topics to interest all listeners. Check out the full episode here!

130

130

Adam Shostack

JANUARY 2, 2025

The CSRB has released its report into an intrusion at Microsoft, and.its a doozy. The Cyber Safety Review Board has released its report into an intrusion at Microsoft, and. its a doozy. It opens: The Board concludes that this intrusion should never have happened. Storm-0558 was able to succeed because of a cascade of security failures at Microsoft. With some time to reflect on the findings, I think the report is best characterized as a well-earned rebuke to Microsoft.

Government 130

Government Risk Authentication Technology 130

Adam Shostack

JANUARY 2, 2025

Adam on Healthcare Info Security podcast Adam is excited to share that he was live with Marianne Kolbasuk McGee of Healthcare Info Security! In this episode, Adam and Marianne emphasize the critical importance of integrating threat modeling early in the medical device development process. Adam highlights some of the biggest mistakes that medical device manufacturers can make, such as delaying threat modeling until late in the development phase or treating it merely as a "paper weight exercise.

Healthcare 130

Healthcare Manufacturing 130

Adam Shostack

JANUARY 2, 2025

Threat modeling is the measure once, cut twice of cybersecurity. Structured techniques help you understand the danger so you can create a focused defensive security strategy. But theyre expensive and slow! Over the years, many people have told me that threat modeling really helps — once they get it up and running. But they hate having to collaborate with people.

Passwords 130

Passwords Technology Risk Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

A busy month in appsec, AI, and regulation. Breaking: Alec Muffett reports that Ross Anderson has passed away. Ross was a giant of the field and Im shocked. Regulation The White House released a report on memory safe languages. Stop, read those words again. That the White House is involved should not be a shocker to readers of this blog, and it represents a fascinating state of the evolution of the conversation around memory safety that it would reach that level. ( Press release , technical repo

Software 130

Software Advertising Hacking 130

Adam Shostack

JANUARY 2, 2025

We have a new paper at NDSS In security, theres work we do to protect ourselves or our business, and theres work we do to protect others, or to enable people to securely interact with us. Guess which CISOs tend to prioritize? Giving society a way to think about, measure, and improve the later is an important value of the cyber public health framing.

Government 130

Government DNS Internet Internet 130