Author: adam

There’s an interesting and detailed blog post from Antti Vähä-Sipilä and Heli Syväoja at the F-Secure blog, Using SAFe® to align cyber security and executive goals in an agile setting. What I find most useful is the detailed and specific elements of how to bring threat modeling into the Scaled Agile Framework, in particular: Security…

Read More Threat Modeling & the SAFE Framework

Post thumbnail

Juneteenth is the celebration of the end of slavery in the US. We need more holidays that celebrate freedom. Freedom isn’t always comfortable or easy, but it is the precondition to the pursuit of happiness. BTW, we’ve been celebrating Juneteenth here on this blog for a long time, if no more consistently than anything else…

Read More Happy Juneteenth!

Post thumbnail

I want to call out some impressive aspects of a report by Proofpoint: TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware. There are many praise-worthy aspects of this report, starting from the amazing lack of hyperbole, and the focus on facts, rather than opinions. The extraordinary lack of adjectives…

Read More Threat Research: More Like This

Post thumbnail

The Sonatype 2020 DevSecOps Community Survey is a really interesting report. Most interesting to me is the importance of effective communication, with both tools and human communication in developer happiness. But even more important is my belief that to reach developers Star Wars is better than Star Trek is confirmed. No bias there.

Read More Sonatype Report on DevSecOps

Post thumbnail

Contextualisation of Data Flow Diagrams for security analysis is a new paper to which I contributed: “Abstract: Data flow diagrams (DFDs) are popular for sketching systems for subsequent threat modelling. Their limited semantics make reasoning about them difficult, but enriching them endangers their simplicity and subsequent ease of take up. We present an approach for…

Read More Contextualisation of Data Flow Diagrams…

Post thumbnail

There’s an interesting new draft, Best Practices for IoT Security:What Does That Even Mean? It’s by Christopher Bellman and Paul C. van Oorschot. The abstract starts: “Best practices for Internet of Things (IoT) security have recently attracted considerable attention worldwide from industry and governments, while academic research has highlighted the failure of many IoT product…

Read More “Best Practices for IoT Security”