Shostack + Friends Blog Archive

 

Do Games Teach Security?

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and online tools has grown significantly in recent years. There have been a number of card […]

 

Threat Modeling the PASTA Way

There’s a really interesting podcast with Robert Hurlbut Chris Romeo and Tony UcedaVelez on the PASTA approach to threat modeling. The whole podcast is interesting, especially hearing Chris and Tony discuss how an organization went from STRIDE to CAPEC and back again. There’s a section where they discuss the idea of “think like an attacker,” […]

 

Secure Development or Backdoors: Pick One

In “Threat Modeling Crypto Back Doors,” I wrote: In the same vein, the requests and implementations for such back-doors may be confidential or classified. If that’s the case, the features may not go through normal tracking for implementation, testing, or review, again reducing the odds that they are secure. Of course, because such a system […]

 

Diagrams in Threat Modeling

When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, Interrupted” this paragraph really jumped out at me: One thing that coding and writing fiction […]

 

FBI says their warnings were ignored

There’s two major parts to the DNC/FBI/Russia story. The first part is the really fascinating evolution of public disclosures over the DNC hack. We know the DNC was hacked, that someone gave a set of emails to Wikileaks. There are accusations that it was Russia, and then someone leaked an NSA toolkit and threatened to […]

 

What does the MS Secure Boot Issue teach us about key escrow?

Nothing. No, seriously. Articles like “Microsoft Secure Boot key debacle causes security panic” and “Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea” draw on words in an advisory to say that this is all about golden keys and secure boot. This post is not intended to attack anyone; researchers, journalists or […]

 

"Think Like an Attacker" is an opt-in mistake

I’ve repeatedly spoken out against “think like an attacker.” Now I’m going to argue from authority. In this long article, “The Obama Doctrine,” the President of the United States says “The degree of tribal division in Libya was greater than our analysts had expected.” So let’s think about that statement and what it means. First, […]

 

Sneak peeks at my new startup at RSA

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, we may be able to help. My new startup is getting ready to show our […]

 

Threat Modeling: Chinese Edition

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.

 

Threat Modeling, Chinese Edition!

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into Chinese. You can buy it from Amazon.cn.

 

Towards a model of web browser security

One of the values of models is they can help us engage in areas where otherwise the detail is overwhelming. For example, C is a model of how a CPU works that allows engineers to defer certain details to the compiler, rather than writing in assembler. It empowers software developers to write for many CPU […]

 

Threat Modeling At a Startup

I’ve been threat modeling for a long time, and at Microsoft, had the lovely opportunity to put some rigor into not only threat modeling, but into threat modeling in a consistent, predictable, repeatable way. Because I did that work at Microsoft, sometimes people question how it would work for a startup, and I want to […]

 

Think Like An Attacker? Flip that advice!

For many years, I have been saying that “think like an attacker” is bad advice for most people. For example: Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They […]

 

Modeling Attackers and Their Motives

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. You should look at the reports for facts you can use to assess your systems, such as filenames, hashes and IP addresses. Most readers should, at most, skim their analysis of the perpetrators. Read on […]

 

Jolt Award for Threat Modeling

I am super-pleased to report that Threat Modeling: Designing for Security has been named a Jolt Finalist, the first security-centered book to make that list since Schneier’s Secrets and Lies in 2001. My thanks to the judges, most especially to Gastón Hillar for the constructive criticism that “Unluckily, the author has chosen to focus on […]

 

Etsy's Threat Modeling

Gabrielle Gianelli has pulled back the curtain on how Etsy threat modeled a new marketing campaign. (“Threat Modeling for Marketing Campaigns.”) I’m really happy to see this post, and the approach that they’ve taken: First, we wanted to make our program sustainable through proactive defenses. When we designed the program we tried to bake in […]

 

Seattle event: Ada's Books

For Star Wars day, I’m happy to share this event poster for my talk at Ada’s Books in Seattle Technical Presentation: Adam Shostack shares Threat Modeling Lessons with Star Wars. This will be a less technical talk with plenty of discussion and interactivity, drawing on some of the content from “Security Lessons from Star Wars,” […]

 

There's more than one way to threat model

Today, most presentations on threat modeling talk about each phase of the process. They talk about how to model what you’re building, what can go wrong, and what to do about it. Those tightly coupled processes can be great if you’ve never heard of an approach to threat modeling. But they can add to the […]

 

Threat modeling the Dread Pirate Roberts way

It has to be said that no one in the Princess Bride is great at threat modeling. But one scene in particular stands out. It’s while they’re planning to attack the castle and rescue Buttercup: Westley: I mean, if we only had a wheelbarrow, that would be something. Inigo: Where we did we put that […]

 

Threat Modeling & Devops: Like Peanut Butter & Jelly

George Hulme interviewed me for Devops.com, and the article is at “Q&A: Speaking DevOps and Threat Modeling.” Its obvious that devops is an important trend, andit’s important to understand how to align threat modeling to that world.

 

Should I Start Threat Modeling from Assets?

A couple of reviewers have commented that they have different perspective on assets. For example, in a review I very much appreciated, Gunnar Peterson says: I have slightly a different perspective on Shostack’s view on assets. The book goes into different views that launch the threat model, the approach advocated for in the book is […]

 

Account Recovery Fail

“Please note that your password will be stored in clear text in our database which will allow us to send it back to you in case you lost it. Try avoid using the same password as accounts you may have in other systems.” — a security conference’s speaker website This is a silly pattern. At […]

 

Threat Modeling and Operations

One very important question that’s frequently asked is “what about threat modeling for operations?” I wanted to ensure that Threat Modeling: Designing for Security focused on both development and operations. To do that, I got help from Russ McRee. For those who don’t know Russ, he’s a SANS incident handler as well as a collegue […]

 

My Technical Editor: Chris Wysopal

When Wiley asked me about a technical editor for Threat Modeling: Designing for Security, I had a long list of requirements. I wanted someone who could consider the various scenarios where threat modeling is important, including software development and operations. I wanted someone who understood the topic deeply, and had the experience of teaching threat […]

 

TSA Approach to Threat Modeling, Part 3

It’s often said that the TSA’s approach to threat modeling is to just prevent yesterday’s threats. Well, on Friday it came out that: So, here you see my flight information for my United flight from PHX to EWR. It is my understanding that this is similar to digital boarding passes issued by all U.S. Airlines; […]

 

The output of a threat modeling session, or the creature from the bug lagoon

Wendy Nather has continued the twitter conversation which is now a set of blog posts. (My comments are threat modeling and risk assessment, and hers: “That’s not a bug, it’s a creature. “) I think we agree on most things, but I sense a little semantic disconnect in some things that he says: The only […]

 

The TSA’s Approach to Threat Modeling

“I understand people’s frustrations, and what I’ve said to the TSA is that you have to constantly refine and measure whether what we’re doing is the only way to assure the American people’s safety. And you also have to think through are there other ways of doing it that are less intrusive,” Obama said. “But […]

 

Boundary Objects and Threat Modeling

Ethonomethodologists talk a lot about communities of practice. Groups of people who share some set of work that they do similarly, and where they’ll co-evolve ways of working and communicating. When everyone is part of a given community, this works really well. When we talk about “think like an attacker” within a community of security […]

 

SDL Announcements

I’m in Barcelona, where my employer has made three announcements about our Security Development Lifecycle, which you can read about here: “SDL Announcements at TechEd EMEA.” I’m really excited about all three announcements: they represent an important step forward in helping organizations develop more secure code. But I’m most excited about the public availability of […]

 

The Discipline of "think like an attacker"

John Kelsey had some great things to say a comment on “Think Like An Attacker.” I’ve excerpted some key bits to respond to them here. Perhaps the most important is to get the designer to stop looking for reasons attacks are impossible, and start looking for reasons they’re possible. That’s a pattern I’ve seen over […]

 

Think Like An Attacker?

One of the problems with being quoted in the press is that even your mom writes to you with questions like “And what’s wrong with “think like an attacker?” I think it’s good advice!” Thanks for the confidence, mom! Here’s what’s wrong with think like an attacker: most people have no clue how to do […]

 

Privacy Enhancing Technologies and Threat Modeling

Steven Murdoch and Robert Watson have some really interesting results about how to model the Tor network in Metrics for Security and Performance in Low-Latency Anonymity Systems (or slides). This is a really good paper, but what jumped out at me was their result, which is that the right security tradeoff is dependent on how […]