Archive for the “threat modeling” category

Threat Modeling in 2018: Attacks, Impacts and Other Updates

by nsadmin on August 13, 2018

The slides from my Blackhat talk, “Threat Modeling in 2018: Attacks, Impacts and Other Updates” are now available either as a PDF or online viewer.

Threat Modeling Thursday: 2018

by nsadmin on July 26, 2018

Since I wrote my book on the topic, people have been asking me “what’s new in threat modeling?” My Blackhat talk is my answer to that question, and it’s been taking up the time that I’d otherwise be devoting to (…)

Read the rest of this entry »

Threat Model Thursdays: Crispin Cowan

by nsadmin on July 5, 2018

Over at the Leviathan blog, Crispin Cowan writes about “The Calculus Of Threat Modeling.” Crispin and I have collaborated and worked together over the years, and our approaches are explicitly aligned around the four question frame. What are we working (…)

Read the rest of this entry »

‘EFAIL’ Is Why We Can’t Have Golden Keys

by adam on June 11, 2018

I have a new essay at Dark Reading, “‘EFAIL’ Is Why We Can’t Have Golden Keys.” It starts: There’s a newly announced set of issues labeled the “EFAIL encryption flaw” that reduces the security of PGP and S/MIME emails. Some (…)

Read the rest of this entry »

Do Games Teach Security?

by adam on December 8, 2016

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and (…)

Read the rest of this entry »

Threat Modeling the PASTA Way

by adam on November 30, 2016

There’s a really interesting podcast with Robert Hurlbut Chris Romeo and Tony UcedaVelez on the PASTA approach to threat modeling. The whole podcast is interesting, especially hearing Chris and Tony discuss how an organization went from STRIDE to CAPEC and (…)

Read the rest of this entry »

Secure Development or Backdoors: Pick One

by adam on October 4, 2016

In “Threat Modeling Crypto Back Doors,” I wrote: In the same vein, the requests and implementations for such back-doors may be confidential or classified. If that’s the case, the features may not go through normal tracking for implementation, testing, or (…)

Read the rest of this entry »

FBI says their warnings were ignored

by adam on August 17, 2016

There’s two major parts to the DNC/FBI/Russia story. The first part is the really fascinating evolution of public disclosures over the DNC hack. We know the DNC was hacked, that someone gave a set of emails to Wikileaks. There are (…)

Read the rest of this entry »

Sneak peeks at my new startup at RSA

by adam on February 18, 2016

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, (…)

Read the rest of this entry »

Threat Modeling: Chinese Edition

by adam on February 1, 2016

I’m excited to say that Threat Modeling: Designing for Security is now available in Chinese. This is a pretty exciting milestone for me — it’s my first book translation, and it joins Elevation of Privilege as my second translation into (…)

Read the rest of this entry »