Adam Shostack

APRIL 27, 2025

Threat modeling. So much threat modeling, and so much more, including foreshadowing of new rules from FDA. Threat Modeling Threat Modeling Connect has new in person groups. Theres a new human harms focused threat modeling approach, covered in an academic paper, Threat Me Right: A Human HARMS Threat Model for Technical Systems. Linwood Jones and Pawan Suresh blogged about Scaling Your Threat Modeling Program using GenAI at Adobe.

Software 147

Software 147

Adam Shostack

APRIL 25, 2025

A great, in depth series on threat modeling with ATTACK Tiffany Bergeron is Chief Architect at MITREs Mappings Program. We did a four part series, diving deep into threat modeling using ATT&CK. This is a deeper insight into the set of conversations that Kyle Wallace and I previewed at an RSAC Virtual Seminar: Building Resilient Systems (our video starts here.

130

130

Adam Shostack

APRIL 24, 2025

Whats next for the CVE program? Since last weeks CVE budget kerfuffle , Ive been drawn into many conversations about what comes next? And while I want to say that I dont know and I havent been involved in too long, it turns out I have a perspective that I keep sharing. To summarize: Decide what problem youre solving. Since I wrote my post, CISA has made a strong statement : To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior

Retail 100

Retail Government 100

Adam Shostack

APRIL 20, 2025

Pray they dont alter the price any further Neowin has a promotion in which theyre giving away my Threats: What Every Engineer Should Learn from Star Wars. (They also have Tanya Jancas new Alice and Bob Learn Application Security and more.) I know, he said never tell me the odds, but the odds of the price going any lower are approximately 3,720 to 1!

Engineering 130

Engineering 130

Adam Shostack

APRIL 15, 2025

CVE funding is apparently not being renewed. I havent been operationally involved for a long time and Im sorry for what the team is going through. Im not alone in having strong feelings, and I want to talk about some of the original use cases that informed us as we set up the system. (You might also enjoy my thoughts on 25 Years of CVE for some context.

Government 200

Government Malware 200

Adam Shostack

APRIL 10, 2025

What's wrong with this process? Appsec leaders come to me all the time, looking for feedback on their threat modeling approach. When we do it for a customer, the request and response are private, and when they're not, sometimes they end up in the blog. A recent request exemplified a couple of the problems that we see over and over: The system model provides a framework for identifying and analyzing potential threats by thoroughly describing the assets, attributes, and their interactions with

Software 130

Software 130

Adam Shostack

APRIL 5, 2025

Troy Hunt has a good post about being phished. Good on Troy for being transparent, and he talks about being tired and jet lagged, and that deserves sympathy. Attackers are sneaky. Troy honorably admits that he overrode 1Password and filled out the phishing site. In this post, I want to share why I think I wouldnt fall for this, even jet lagged. That defense is intensive sorting into folders, enabled by custom email addresses.

Phishing 130

Phishing Banking Internet Internet 130

Adam Shostack

APRIL 2, 2025

Big news for LLMs in threat modeling! Threat Modeling Matthew Adams introduced TM-Bench The World's First LLM Threat Modeling Benchmark. Im glad to see this, testing and evaluation is important. Tony Lee has released DeepTM , a tool for chaining threat models. (Tony was nice enough to help me find the core code for the agents.) As a general comment on these systems, LLMs are tremendously reactive to very small wording changes.

147

147

Adam Shostack

MARCH 26, 2025

Grateful to introduce the Hackers' Almanack! I wrote the introduction for The DEF CON 32 Hackers Almanack ! Every year, thousands of hackers converge in Las Vegas for a joyous, crazy exploration of the edges of technology otherwise fondly called Hacker Summer Camp. They include many communities with different perspectives, all with a core commitment to hacking and exploration.

Data breaches 130

Data breaches Passwords Technology Hacking 130

Adam Shostack

MARCH 20, 2025

A group of us have urged HHS to require better handling of security reports A group of us have urged HHS to require that health care providers to act on (and facilitate reporting of) security issues by good faith cybersecurity researchers. The core of what we recommend is that HHS should require cooperation with Good Faith researchers. All regulated entities should be required to enable people to report security issues in a way thats easy to discover and aligned with standards.

Software 130

Software Cybersecurity 130

Adam Shostack

MARCH 14, 2025

Register for OWASP training in Barcelona! If youre based in the EU and have been waiting to participate in Adam Shostacks Threat Modeling training, the wait is over Shostack + Associates will be delivering training at OWASP Global AppSec in Barcelona! This in-person training will be taking place live from May 27-28, 2025. The conference will be held from May 29-30, 2025.

130

130

Adam Shostack

FEBRUARY 20, 2025

Adam was on the Medical Device Cybersecurity podcast Im excited to share that I recently spoke with the Cyber Doctor on the Medical Device Cybersecurity podcast! Whether youre an engineer, security professional, or product leader, this discussion may help you refine your approach to building secure systems efficiently. In the episode, we tackled three key qualities of threat modeling: how to make application design actionable, scalable, and practical.

Cybersecurity 130

Cybersecurity Engineering 130

Adam Shostack

FEBRUARY 18, 2025

Adam was on the CyberTuesday podcast I recently had the pleasure of joining Simon Whittaker on the CyberTuesday podcast for a wide-ranging discussion about threat modeling and organizational culture. I wanted to share some key themes we explored. One of the core messages I emphasized is how we can make threat modeling more accessible. If youve read my recent blog post on Hoarding, Debt and Threat Modeling , youll hear me reiterate how people often try to model everything at once and get overwhel

130

130

Adam Shostack

FEBRUARY 14, 2025

BlackHat invites human factors work Blackhat 2024 will be August 6-7 in Las Vegas, The call for papers is open, and will close on April 2. (Please check all dates in the official CFP.) As a member of the BlackHat Review Board, Im responsible for the Human Factors track. Over the last decade, weve developed a good track with a wide variety of content.

Technology 130

Technology Engineering 130

Adam Shostack

FEBRUARY 12, 2025

An exciting new sample TM from MITRE For Threat Model Thursday, I want to provide some comments on NIST CSWP 35 ipd, Cybersecurity Threat Modeling the Genomic Data Sequencing Workflow (Initial Public Draft). As always, my goal is to offer helpful feedback. This is a big, complex document. Its 50 pages of real content with 13 listed authors, and is a subset of a larger project.

Risk 147

Risk Manufacturing Encryption Surveillance 147

Adam Shostack

JANUARY 30, 2025

The psychology of getting started threat modeling During a recent threat modeling course, one of our students, Aleksei*, made a striking comparison that resonated with a lot of us: starting security analysis is like tackling a hoarders house. That visceral image of looking at mountains of accumulated issues, feeling overwhelmed by where to begin, captures a challenge many engineering leaders face when they first attempt to systematically assess their systems security.

Architecture 147

Architecture Engineering Software 147

Adam Shostack

JANUARY 28, 2025

Our comments on the National Cyber Incident Plan Josiah Dykstra and I have some comments on the National Cyber Incident Response Plan updates. Building on our recent paper about pandemic-scale cyber events , we submitted 14 recommendations to further improve the plan. We share the desire for proactive plans that adequately prepare the Nation for cyber incidents.

Government 147

Government 147

Adam Shostack

JANUARY 27, 2025

Do diagrams leverage the brain in a different way? Creating, refining, communicating, and working with models are all important parts of how I think about answering what are we working on? People often want to eliminate the diagramming or modeling step as not required, and thats a mistake. The act of engaging with the higher order question of what are we building working on is important, and diagramming acts as a forcing function.

Engineering 147

Engineering 147

Adam Shostack

JANUARY 16, 2025

An important step towards cyber public health Every four years, the Computing Research Association publishes a set of Quadrenial papers that explore areas and issues around computing research with potential to address national priorities. The white papers attempt to portray a comprehensive picture of the computing research field detailing potential research directions, challenges, and recommendations.

Cybersecurity 147

Cybersecurity Government 147

Adam Shostack

JANUARY 5, 2025

I had planned to start 2025 with a more positive note, but the loss of Amit Yoran, who was only a few years older than me, has hit me hard. I first met Amit at a Computers, Freedom and Privacy conference in the early 90s. He was in his West Point uniform, which was not typical for attendees of the conference. So I went over and struck up a conversation, and we continued over probably 30 years.

Education 147

Education Government 147

Adam Shostack

JANUARY 2, 2025

What should hackathon judges value? The Threat Modeling Connect team has built a hackathon thats gotten a lot of enthusiastic participation over the last few years. Today I want to discuss the design of that hackathon, talk about an effect of the design and ask if we can do something different. None of this is intended to critique the organizers, participants or judges.

Architecture 147

Architecture Technology Authentication Software 147

Adam Shostack

JANUARY 2, 2025

My talk at JPL Before Thanksgiving, I was in Southern California, and I was honored to be able to give a talk at the Jet Propulsion Lab. The talk is titled Threat Modeling: Engineering and Science. The first part of the talk puts threat modeling in context for engineering secure systems, while the second part considers why we do what we do and asks some questions about how we think about risk.

Risk 130

Risk Insurance Engineering Marketing 130

Adam Shostack

JANUARY 2, 2025

Why do we call them trust boundaries, anyway? This blog post is more questions and musings than answers. Back in September, there was a fascinating Propublica article, Microsoft Chose Profit Over Security. It includes a link to Microsoft Security Servicing Criteria for Windows , which uses the term security boundary where Id normally say trust boundary.

130

130

Adam Shostack

JANUARY 2, 2025

In late 2024, people are being offered a choice of features versus security. This week, Synology released a security patch (for Synology Photos, a default part of some of their products) without telling anyone. When I went to install it, I learned that the security update comes with mandatory disabling of video conversion for H.264/265*. Now, its possible that the bugs that the researchers found led Synology to find that the libraries they were using were a wretched hive of vulnerabilities, and

Media 130

Media Accountability 130

Adam Shostack

JANUARY 2, 2025

If you say liability three times, it appears! Secure by Design, threat modeling and appsec Loren Kohnfelder wrote a longish, excellent post Flaunt your threat models. Weve been talking about this, and I think flaunting models at the level of the one released by Curl make so much sense its hard to see why its not standard. Google has released information on their Secure by Design commitment, including a blog and white paper.

Manufacturing 130

Manufacturing Data breaches Software Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

Some thoughts on 25 years of the CVE program I saw the headline CVE Program Celebrates 25 Years of Impact! and want to congratulate everyone involved. The 25th anniversary report was a nostalgic walk down memory lane for me. I remember sitting a row or two behind Dave Mann and Steve Christey Coley at the workshop on vulnerability databases, and wondering who the heck MITRE was and why they cared?

130

130

Adam Shostack

JANUARY 2, 2025

Threat model Thursday, let's dive deep into a detailed approach to using ATT&CK For Threat Model Thursday, lets look at Threat Modeling with ATT&CK from the Center for Threat Informed Defense at MITRE. As always with Threat Model Thursday, my goal is to respectfully engage with interesting work and ask what we can learn from it. This one is particularly interesting because Ive been teaching threat modeling with kill chains, including ATT&CK, for many years.

Risk 130

Risk Government 130

Adam Shostack

JANUARY 2, 2025

Time to vote for OWASP leadership The OWASP 2024 board elections are open. OWASP has outsize influence over application security. Its a go-to authoritative source, many of its projects are recognized in international standards, and more. And the election videos have fewer than 100 views each. As an OWASP member and supporter (even though Im sometimes critical), I encourage anyone who reads this blog to join and get involved in making the organization better.

Education 130

Education 130

Adam Shostack

JANUARY 2, 2025

If you say threat modeling three times, it appears! If you say threat modeling three times, it appears! This months roundup focuses on recent in-depth threat modeling work, including academic papers, an Amazon white paper, and more. Also, exciting news from Shostack + Associates. There was less in AI, appsec or regulation that jumped out as worthy of rounding up.

Architecture 130

Architecture 130

Adam Shostack

JANUARY 2, 2025

The most important stories around threat modeling, appsec and secure by design for August, 2024. Threat Modeling Brett Crawley released Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architecture , published by Packt, a full book on the game. Awesome! (I was honored to write the Foreword.) In a blog post at Forbes, Zak Doffman discusses a New Warning As Spike In GPS Spoofing Attacks Hit Passenger Planes , citing a rise from 200 daily incidents to 900 in Q2

Architecture 130

Architecture Threat Detection Software Media 130

Adam Shostack

JANUARY 2, 2025

The failure to secure boot keys should be a bigger deal. In case you missed it, Ars Technica has a story, Secure Boot is completely broken on 200+ models from 5 big device makers. The key* point is that Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway. At some level, I get it. Theres a lot of work to do in shipping a big complex system, even if that big complex system is in a small form factor.

Manufacturing 130

Manufacturing Software Marketing Encryption 130

Adam Shostack

JANUARY 2, 2025

A new paper on 'Pandemic Scale Cyber Events Josiah Dykstra and I have a new pre-print at Arxiv, Handling Pandemic-Scale Cyber Threats: Lessons from COVID-19. The abstract is: The devastating health, societal, and economic impacts of the COVID-19 pandemic illuminate potential dangers of unpreparedness for catastrophic pandemic-scale cyber events.

Cyber threats 130

Cyber threats Government Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

You should get the Threat Modeling Gameplay book, now available! One of the challenges in creating a game with a purpose is balancing fun and pedagogy (or even pedantry). Cards in my Elevation of Privilege game have specific hints, more specific than the threats that are used as the suits.but sometimes not specific enough. Thats why Im so pleased that Brett Crawley has written a book, Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architecture.

Architecture 130

Architecture Software 130

Adam Shostack

JANUARY 2, 2025

Podcast episode with Venkat Ramakrishnan discussing the intersection of GenAI and threat modeling Earlier this year, Adam had the opportunity to speak with Venkat Ramakrishnan on his show Software Testing and Quality Talks". In this episode, Adam and Venkat discuss the ever hot topic of GenAI. Whether you work in quality assurance or app sec, this episode may still be relevant to you.

Software 130

Software Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

Google calls attention to our Cyber Public Health work Last week, Bill Reid and Taylor Lehmann, both in the Office of the CISO at Google Cloud, wrote a blog post, Cyber Public Health: A new approach to cybersecurity. The post makes the case that the approach is important, and ties it to the recent work about Cyber-Physical Resilience by the Presidents Council of Advisors on Science and Technology.

CISO 130

CISO Technology Cybersecurity 130

Adam Shostack

JANUARY 2, 2025

The most important stories around threat modeling, appsec and secure by design for June, 2024. Threat Modeling The City of London police report that a homemade mobile antenna was used to send thousands of smishing messages Ive been skeptical of phone system security, but this is both important if youre trusting the phone system, as an example of an evolving threat, and really funny.

Scams 130

Scams Mobile Engineering Software 130

Adam Shostack

JANUARY 2, 2025

Why is it hard to count lockbit infections? I was surprised to see the headline FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out. I didn't think there were that many victims. Some somewhat lazy searching reveals: CISA (with other agencies) said 1,700 in Understanding Lockbit (June, 2023) Department of Justice said more than 2,500 victims in U.S.

Ransomware 130

Ransomware Cybersecurity 130