Usability – Adam Shostack & friends

2021-04-29 by adam

Threat Model Thursday: Technology Consumers

There’s an interesting paper by Becky Kazansky, ‘It depends on your threat model’: the anticipatory dimensions of resistance to data-driven surveillance. The author critiques ‘anticipatory data practices’, a collection of techniques that include my own work, as presented to civil society activists. It opens “While many forms of data-driven surveillance are now a ‘fact’ of…

2020-11-23 by adam 1 comment

Stencils and Sketch Books

We get many things from whiteboards. One of those is a sense of impermanence – that the work on them is a work in progress. That it’s a sketch, rather than a final product. And I missed whiteboards, so working with my partners at Agile Stationery, we created not only whiteboards, but also stencils to…

2020-08-24 by adam 1 comment

Elevation of Privilege In The Time of Cholera

The Elevation of Privilege game has had way more staying power than I would have expected. But the online experience in this time of global pandemic has left out some of the magic that made it work. So I was really skeptical when Simon Gibbs from Agile Stationery mailed me about an approach to playing…

2020-08-18 by adam 1 comment

Better Taught Than Caught!

So Chris Romeo has a blog post, “Threat modeling: better caught than taught.” In it, he advocates for threat modeling being a skill passed on informally. And, like many things in threat modeling, that’s attractive, sounds fun, and is utterly wrong. Let’s threat model this: What are we working on? Scaling threat modeling across all…

2020-06-09 by adam

Contextualisation of Data Flow Diagrams…

Contextualisation of Data Flow Diagrams for security analysis is a new paper to which I contributed: “Abstract: Data flow diagrams (DFDs) are popular for sketching systems for subsequent threat modelling. Their limited semantics make reasoning about them difficult, but enriching them endangers their simplicity and subsequent ease of take up. We present an approach for…

2020-03-30 by adam

Answering “What Are We Working On” When Remote

Practicing physical distancing has already dramatically changed how we work, and will continue to do so. Being physically distant means we can’t use a whiteboard to help us talk through “what are we working on?” There are technical facets of threat modeling, like using visual models to show and scope “what are we working on?”…

2020-03-19 by adam 3 comments

Threat Modeling with Questionnaires

This post comes from a conversation I had on Linkedin with Clint Gibler. He wrote: One challenge I’ve heard from a number of companies is that, with say 3-5 AppSec engineers supporting 500 – 1000 devs, you can’t TM every story, or even every epic. So what do you focus on? The high risk /…

2019-06-26 by adam 1 comment

Passwords Advice

Bruce Marshall has put together a comparison of OWASP ASVS v3 and v4 password requirements: OWASP ASVS 3.0 & 4.0 Comparison. This is useful in and of itself, and is also the sort of thing that more standards bodies should do, by default. It’s all too common to have a new standard come out without…

2019-05-29 by adam

Polymorphic Warnings On My Mind

There’s a fascinating paper, “Tuning Out Security Warnings: A Longitudinal Examination Of Habituation Through Fmri, Eye Tracking, And Field Experiments.” (It came out about a year ago.) The researchers examined what happens in people’s brains when they look at warnings, and they found that: Research in the fields of information systems and human-computer interaction has…

2019-05-13 by adam

Promoting Threat Modeling Work

Quick: are all the flowers the same species? People regularly ask me to promote their threat modeling work, and I’m often happy to do so, even when I have questions about it. There are a few things I look at before I do, and I want to share some of those because I want to…