Archive for the “threat modeling” category

Do Games Teach Security?

by adam on December 8, 2016

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and (…)

Read the rest of this entry »

Threat Modeling the PASTA Way

by adam on November 30, 2016

There’s a really interesting podcast with Robert Hurlbut Chris Romeo and Tony UcedaVelez on the PASTA approach to threat modeling. The whole podcast is interesting, especially hearing Chris and Tony discuss how an organization went from STRIDE to CAPEC and (…)

Read the rest of this entry »

Secure Development or Backdoors: Pick One

by adam on October 4, 2016

In “Threat Modeling Crypto Back Doors,” I wrote: In the same vein, the requests and implementations for such back-doors may be confidential or classified. If that’s the case, the features may not go through normal tracking for implementation, testing, or (…)

Read the rest of this entry »

FBI says their warnings were ignored

by adam on August 17, 2016

There’s two major parts to the DNC/FBI/Russia story. The first part is the really fascinating evolution of public disclosures over the DNC hack. We know the DNC was hacked, that someone gave a set of emails to Wikileaks. There are (…)

Read the rest of this entry »

Sneak peeks at my new startup at RSA

by adam on February 18, 2016

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, (…)

Read the rest of this entry »

Threat Modeling: Chinese Edition

by adam on February 1, 2016

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into (…)

Read the rest of this entry »

Threat Modeling At a Startup

by adam on December 1, 2014

I’ve been threat modeling for a long time, and at Microsoft, had the lovely opportunity to put some rigor into not only threat modeling, but into threat modeling in a consistent, predictable, repeatable way. Because I did that work at (…)

Read the rest of this entry »

Modeling Attackers and Their Motives

by adam on November 11, 2014

There are a number of reports out recently, breathlessly presenting their analysis of one threatening group of baddies or another. You should look at the reports for facts you can use to assess your systems, such as filenames, hashes and (…)

Read the rest of this entry »

Jolt Award for Threat Modeling

by adam on September 29, 2014

I am super-pleased to report that Threat Modeling: Designing for Security has been named a Jolt Finalist, the first security-centered book to make that list since Schneier’s Secrets and Lies in 2001. My thanks to the judges, most especially to (…)

Read the rest of this entry »

Etsy’s Threat Modeling

by adam on July 10, 2014

Gabrielle Gianelli has pulled back the curtain on how Etsy threat modeled a new marketing campaign. (“Threat Modeling for Marketing Campaigns.”) I’m really happy to see this post, and the approach that they’ve taken: First, we wanted to make our (…)

Read the rest of this entry »