Apple has released (or I’ve just come across) a document Device and Data Access when Personal Safety is At Risk. Apple makes it easy to connect and share your life with the people closest to you. What you share, and whom you share it with, is up to you — including the decision to make…
Read More Apple Guidance on Intimate Partner Surveillance
Post thumbnail
There’s an interesting paper by Becky Kazansky, ‘It depends on your threat model’: the anticipatory dimensions of resistance to data-driven surveillance. The author critiques ‘anticipatory data practices’, a collection of techniques that include my own work, as presented to civil society activists. It opens “While many forms of data-driven surveillance are now a ‘fact’ of…
Read More Threat Model Thursday: Technology ConsumersThere’s a new report out from the UK Government, The UK Code of Practice for Consumer IoT Security. One of the elements I want to draw attention to is: The use of IoT devices by perpetrators of domestic abuse is a pressing and deeply concerning problem that is largely hidden from view. Collecting data (and…
Read More IoT Security & Threat ModelingA bunch of people recently asked me about Robert Reichel’s post “How We Threat Model,” and I wanted to use it to pick up on Threat Model Thursdays, where I talk about process and practices. My goal is always to build, and sometimes that involves criticism. So let me start by saying I like the…
Read More Thursday Threat Model: Github’s Approach
Post thumbnail
I get this question a lot: Can distributed/remote training work as well as in person? Especially for threat modeling, where there’s a strong expectation that training involves whiteboards. (I remember one course in particular, about 15 minutes in, the buyer said: “Let’s get to the whiteboards already!”) And there’s no doubt: people learn by doing.…
Read More Can Training Work Remotely?
Post thumbnail
I’ve talked about our new training, and I want to provide a little behind the scenes view. I regularly talk with folks who’ve gone through the pain of developing their own training, or worse, put others through the pain of their alpha-version training, and then paid the price in having to convince people to give…
Read More Behind the Scenes: Training Development
Post thumbnail
I have been lucky through these unprecendented and challenging times, and I’m grateful to have avoided many of the awful problems that others have faced. In my own little way, I spent a lot of time worried that delivering threat modeling training was only possible with us in the same room together. Through the pandemic,…
Read More Threat Modeling Classes
Post thumbnail
I am very excited to announce that Linkedin Learning has released “Threat Modeling: Denial of Service and Elevation of Privilege.” This is the sixth course I’ve done with them, and completes a cycle which starts with “Learning Threat Modeling for Security Professionals,” and then steps through each of the STRIDE threats in depth. (We combined…
Read More Linkedin Learning
Post thumbnail
Abhay Bhargav has a really excellent post on Better OKRs for Security through Effective Threat Modeling. I really like how he doesn’t complain about the communication issues between security and management, but offers up a concrete suggestion for improvement. Key quote: “Effective Threat Modeling by itself can ensure that your OKRs and AppSec Program are…
Read More “Better OKRs Through Threat Modeling”
Post thumbnail
For Data Breach Today, I spoke with Anna Delaney about threat modeling for issues that are in the news right now: “Does your organization have a plan in place if one of your employees is accused via Twitter of being an insurrectionist? If your software was being used to spread plans for a riot, could…
Read More Threat Modeling and Social Issues