NCSC on Good Architecture Diagrams
Post thumbnail
The UK’s National Computer Security Center has a blog post on Drawing good architecture diagrams.
Read More NCSC on Good Architecture Diagrams Post thumbnail
SDL Article in CACM
Most of my time, I’m helping organizations develop the skills and discipline to build security in. We give the best advice available, and I recognize that we’re early in developing the science around how to build an SDL that works. That’s why I spend time working with academics who can objectively study what we’re working…
Read More SDL Article in CACMBounce and Range
Post thumbnail
I want to talk about two books: Bounce, by Matthew Syed and Range, by David Epstein. I want to talk about them together in part because Range is explicitly framed as a response to Bounce. [Update: Bill Gates has selected Range as one of his 5 good books for a lousy year.] Bounce is focused…
Read More Bounce and RangeThe World Needs Hope
Post thumbnail
A New Hope, even! Happy Star Wars Day!
Read More The World Needs HopeThreat Model Thursday: Data Flow Diagrams
Post thumbnail
This week’s threat model Thursday looks at an academic paper, Security Threat Modeling: Are Data Flow Diagrams Enough? by Laurens Sion and colleagues. The short (4 page), readable paper looks at the strengths and weaknesses of forms of DFDs, and what we might achieve with variations on the form and different investments of effort. I…
Read More Threat Model Thursday: Data Flow DiagramsWorthwhile Books (Q1 2020)
Post thumbnail
These are the books I read in the first quarter (and forgot to mention last quarter) that I think are worth your time. Cyber Secrets of a Cyber Security Architect, by Brook S. E. Schoenfield. I was honored to write the Foreword, and think there’s a great deal of hard-won wisdom. Sandworm, by Andy Greenberg.…
Read More Worthwhile Books (Q1 2020)Power Dynamics in Threat Modeling
Post thumbnail
On Linkedin, Peter Dowdall had a very important response to my post on remote threat modeling. Because comments on Linkedin are a transient resource, I’m going to quote heavily: The team here ran a session with people in the same room using Miro (maybe 1 remote) and we found it stripped the barriers of either…
Read More Power Dynamics in Threat ModelingAnswering “What Are We Working On” When Remote
Post thumbnail
Practicing physical distancing has already dramatically changed how we work, and will continue to do so. Being physically distant means we can’t use a whiteboard to help us talk through “what are we working on?” There are technical facets of threat modeling, like using visual models to show and scope “what are we working on?”…
Read More Answering “What Are We Working On” When RemoteFriday Star Wars
Medical Device Threat Modeling
Post thumbnail
Threat modeling figures heavily in the FDA’s thinking. It’s been part of the first cybersecurity pre-market guidance, it was a big part of the workshop on ‘content of premarket submissions,’ etc. There have been lots of questions about how to make that happen. I’ve been working with the FDA and the MDIC, and we have…
Read More Medical Device Threat Modeling