The Cybok project has released its v1 “Risk Management & Governance Knowledge Area”; I was a reviewer. Towards Automated Security Design Flaw Detection is an interesting paper from academics in Belgium and Sweden. Steve Lipner offers “Lessons learned through 15 years of SDL at work“ Charles Wilson has perspective on threat modeling devices in “Does…Read More Interesting Reads: Risk, Automation, lessons and more!
I’m excited to announce that I’m hitting my STRIDE and Linkedin has released the second course in my in-depth exploration of STRIDE: Tampering. I’m finding it fascinating to dive deep into the threats, organize my knowledge, and in doing so, hopefully help us chunk and remember what we’re learning.Read More Course announcement: Tampering in Depth!
I’m excited to be teaming up with Alpha Strike and Limes Security to deliver training in Vienna November 6-8. Details are available at Embedded Systems Security Days.Read More Training At Embedded Systems Security Days
Alexandre Sieira has some very interesting and actionable advice from looking at the Capital One Breach in “Learning from the July 2019 Capital One Breach.” Alex starts by saying “The first thing I want to make clear is that I sympathize with the Capital One security and operations teams at this difficult time. Capital One…Read More Actionable Followups from the Capital One Breach
There’s a new draft available from NIST, “Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF).” They are accepting comments through August 5th.Read More NIST on SDLs
“Safety First For Automated Driving” is a big, over-arching whitepaper from a dozen automotive manufacturers and suppliers. One way to read it is that those disciplines have strongly developed safety cultures, which generally do not consider cybersecurity problems. This paper is the cybersecurity specialists making the argument that cyber will fit into safety, and how…Read More Safety and Security in Automated Driving
Google Docs has chosen to red-underline the word “feasible,” which, as you can see, is in its dictionary, to suggest “possible.” “Possible,” possibly, was not the word I selected, because it means something different. Good writing is direct. Good writing respects the reader. Good writing doesn’t tax the reader accidentally. It uses simple words when…Read More The Road to Mediocrity
Omer Levi Hevroni has a very interesting post exploring ways to represent threat models as code. The closer threat modeling practices are to engineering practices already in place, the more it will be impactful, and the more it will be a standard part of delivery. There’s interesting work in both transforming threat modeling thinking into…Read More Threat Modeling as Code
J.E. Gordon’s Structures, or Why Things Don’t Fall Down is a fascinating and accessible book. Why don’t things fall down? It turns out this is a simple question with some very deep answers. Buildings don’t fall down because they’re engineered from a set of materials to meet the goals of carrying appropriate loads. Those materials…Read More Structures, Engineering and Security
“20 Ways to Make AppSec Move at the Speed of DevOps” is in CSO. It’s a good collection, and I’m quoted.Read More CSO on AppSec at the Speed of Devops