2017

Post thumbnail

As I reflect back on 2017, I think it was a tremendously exciting year for threat modeling tooling. Some of the highlights for me include: OWASP Threat Dragon is a web-based tool, much like the MS threat modeling tool, and explained in Open Source Threat Modeling, and the code is at https://github.com/mike-goodwin/owasp-threat-dragon. What’s exciting is…

Read More Threat Modeling Tooling from 2017

Portfolio Thinking: AppSec Radar

At DevSecCon London, I met Michelle Embleton, who is doing some really interesting work around what she calls an AppSec Radar. The idea is to visually show what technologies, platforms, et cetera are being evaluated, adopted and in use, along with what’s headed out of use. Surprise technology deployments always make for painful conversations. This…

Read More Portfolio Thinking: AppSec Radar

Moonshorty apollo17 1080

I had not seen this amazing picture of Harrison Schmitt near Shorty Crater. Via Astronomy Picture of the Day. If you enjoy these, Full Moon is a gorgeous collection of meticulously scanned Apollo images. There are various editions; I encourage you to get the 11″x11″ one, not the 8×8.

Read More 45 Years

Post thumbnail

[Update: More at DarkReading, “ The Critical Difference Between Vulnerabilities Equities & Threat Equities.”] The Vulnerabilities Equities Process (VEP) is how the US Government decides if they’ll disclose a vulnerability to the manufacturer for fixing. The process has come under a great deal of criticism, because it’s never been clear what’s being disclosed, what fraction…

Read More Vulnerabilities Equities Process and Threat Modeling