Podcast appearances and mentions of adam shostack

“Even though usability and security tradeoffs will always be with us, we can get much smarter. Some of the techniques are really simple. For one, write everything down a user needs to do in order to use your app securely. Yeah, keep writing.”In this episode, we talk about:What is threat modeling and why should product teams and UX designers care about it? (Also check out Adam's first episode on Human-Centered Security).Focus on parts of the user journey where you might gain or lose customers: what tradeoffs between usability and security are you making here?Involve a cross-disciplinary team from the very beginning. This is critiical: “How do we get focused on the parts of the problem that matter so we don't spend forever on the wrong stuff?”Adam Shostack is an expert on threat modeling, having worked at Microsoft and currently running security consultancy Shostack + Associates. He is the author of The New School of Information Security, Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn From Star Wars. Adam's YouTube channel has entertaining videos that are also excellent resources for learning about threat modeling.

In this podcast episode, Nandita Rao Narla explores the reasons why privacy threat modeling programs often fail, such as being expensive with a lot of friction in the development lifecycle, misalignment with organizational strategies focused on compliance rather than risk, and difficulty demonstrating a clear return on investment. Nandita highlights some successful strategies, including leveraging existing security threat modeling resources, simplifying the approach for better adoption like Adam Shostack's four-question framework, aligning with organizational values and culture, and encouraging a mindset of considering what could go wrong. The role of tooling in privacy threat modeling is discussed, with most organizations currently not using many dedicated tools beyond data mapping and asset discovery, while larger companies with mature programs may utilize more advanced tooling. Ultimately, privacy threat modeling represents the next frontier, with a strong privacy program partnering with security threat modeling being the next generation approach.Welcome to Smart Threat Modeling. Devici makes threat modeling simple, actionable, and scalable. Identify and deal with threats faster than ever. Build three free models and collaborate with up to ten people in our Free Forever plan. Get started at devici.com and threat model for free! Smart threat modeling for development teams.

This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats. Resources: Here's the Inherent Threats Whitepaper Adam's book, Threat Modeling: Designing for Security Adam's latest book, Threats: What Every Engineer Should Learn from Star Wars We mention the Okta Breach - here's my writeup on it We mention the CSRB report on the Microsoft/Storm breach, here's Adam's blog post on it And finally, Adam mentions the British Library incident report, which is here, and Adam's blog post is here Show Notes: https://securityweekly.com/esw-359

This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats. Resources: Here's the Inherent Threats Whitepaper Adam's book, Threat Modeling: Designing for Security Adam's latest book, Threats: What Every Engineer Should Learn from Star Wars We mention the Okta Breach - here's my writeup on it We mention the CSRB report on the Microsoft/Storm breach, here's Adam's blog post on it And finally, Adam mentions the British Library incident report, which is here, and Adam's blog post is here Show Notes: https://securityweekly.com/esw-359

A clear pattern with startups getting funding this week are "autonomous" products and features. Automated detection engineering Autonomously map and predict malicious infrastructure ..."helps your workforce resolve their own security issues autonomously" automated remediation automated compliance management & reporting I'll believe it when I see it. Don't get me wrong, I think we're in desperate need of more automation when it comes to patching and security decision-making. I just don't think the majority of the market has the level of confidence necessary to trust security products to automate things without a human in the loop. The way LimaCharlie is going about it, with their new bi-directional functionality they're talking up right now, might work, as detections can be VERY specific and fine-grained. We've already seen a round of fully automated guardrail approaches (particularly in the Cloud) fail, however. My prediction? Either what we're seeing isn't truly automated, or it will become a part of the product that no one uses - like Metasploit Pro licenses.   We've talked about generative AI in a general sense on our podcast for years, but we haven't done many deep dives into specific security use cases. That ends with this interview, as we discuss how generative AI can improve SecOps with Ely Kahn. Some of the use cases are obvious, while others were a complete surprise to me. Check out this episode if you're looking for some ideas! This segment is sponsored by SentinelOne. Visit https://securityweekly.com/sentinelone to learn more about them!   This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats. Resources: Here's the Inherent Threats Whitepaper Adam's book, Threat Modeling: Designing for Security Adam's latest book, Threats: What Every Engineer Should Learn from Star Wars We mention the Okta Breach - here's my writeup on it We mention the CSRB report on the Microsoft/Storm breach, here's Adam's blog post on it And finally, Adam mentions the British Library incident report, which is here, and Adam's blog post is here Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-359

A clear pattern with startups getting funding this week are "autonomous" products and features. Automated detection engineering Autonomously map and predict malicious infrastructure ..."helps your workforce resolve their own security issues autonomously" automated remediation automated compliance management & reporting I'll believe it when I see it. Don't get me wrong, I think we're in desperate need of more automation when it comes to patching and security decision-making. I just don't think the majority of the market has the level of confidence necessary to trust security products to automate things without a human in the loop. The way LimaCharlie is going about it, with their new bi-directional functionality they're talking up right now, might work, as detections can be VERY specific and fine-grained. We've already seen a round of fully automated guardrail approaches (particularly in the Cloud) fail, however. My prediction? Either what we're seeing isn't truly automated, or it will become a part of the product that no one uses - like Metasploit Pro licenses.   We've talked about generative AI in a general sense on our podcast for years, but we haven't done many deep dives into specific security use cases. That ends with this interview, as we discuss how generative AI can improve SecOps with Ely Kahn. Some of the use cases are obvious, while others were a complete surprise to me. Check out this episode if you're looking for some ideas! This segment is sponsored by SentinelOne. Visit https://securityweekly.com/sentinelone to learn more about them!   This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats. Resources: Here's the Inherent Threats Whitepaper Adam's book, Threat Modeling: Designing for Security Adam's latest book, Threats: What Every Engineer Should Learn from Star Wars We mention the Okta Breach - here's my writeup on it We mention the CSRB report on the Microsoft/Storm breach, here's Adam's blog post on it And finally, Adam mentions the British Library incident report, which is here, and Adam's blog post is here Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-359

Eric Cabetas joins Robert and Chris for a thought-provoking discussion about modern software security. They talk about the current state of vulnerabilities, the role of memory-safe languages in AppSec, and why IncludeSec takes a highly methodical approach to security assessments and bans OWASP language. Along the way, Eric shares about his entry into cybersecurity and his experience consulting about hacking for TV shows and movies. The conversation doesn't end before they peek into the world of threat modeling, software engineering architecture, and the nuances of running security programs.Helpful Links:Security Engineering by Ross Anderson - https://www.wiley.com/en-us/Security+Engineering%3A+A+Guide+to+Building+Dependable+Distributed+Systems%2C+3rd+Edition-p-9781119642817New School of Information Security by Adam Shostack and Andrew Stewart - https://www.informit.com/store/new-school-of-information-security-9780132800280FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Anja hat heute einen Buchtipp für Euch: Threat Modeling von Adam Shostack.

On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask: What are we working on? What can go wrong? What are we going to do about it? Did we do a good enough job? Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/whitepaper/ Adam Shostack's LinkedIn Profile - https://www.linkedin.com/in/shostack/ Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars https://amzn.to/3PFEv7L Threat Modeling: Designing for Security https://amzn.to/3ZmfLo7 Also check out the Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/ Transcripts: https://docs.google.com/document/d/1Tu0Xj9QTbVqbVJNMbNRam-FEUvfda3ZS Chapters 00:00 Introduction 06:02 The 4 Questions that allow you to measure twice cut once 09:29 How Data Flow Diagrams help teams 16:04 It's more than just looking at threats 19:23 Chasing the most fluid thing or the most worrisome thing 22:00 All models are wrong and some are useful 26:25 Actionable Remediation 31:05 LLMs and Threat Models

In episode 80 of the We Hack Purple Podcast host Tanya Janca brings on her long-time friend Ray Leblanc of 'Hella Secure' blog. You may remember him from several Alice and Bob Learn streams, or from his cutting sarcasm on social media.Ray and Tanya discussed what they always discuss: AppSec. They compared AppSec responsibility versus business responsibility, how to "put it down" at the end of the day in order to avoid burn out, and that 'perhaps Tanya should learn to stay in her lane?' We covered when bug fixes don't get merged and released, the first year of the brand new conference which focuses only on Threat Modelling (ThreatModCon) and that Tanya will be Adam Shostack's teaching assistant for his course that is part of OWASP Global AppSec the first week of November (get tickets here).  Although Ray professes to be bad at threat modelling on the podcast, if you follow any of his work you know that's absolutely untrue, and Tanya teases him accordingly about it.Ray's Links:https://www.hella-secure.com/https://twitter.com/Raybeornhttps://www.linkedin.com/in/raymondlleblanc/Very special thanks to our sponsor, Semgrep!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.Get Your Free Trial Here! Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Join We Hack Purple! Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more! 

Guest: Adam ShostackOn Twitter | https://twitter.com/done_with_thatOn LinkedIn | https://www.linkedin.com/in/shostack/On Mastodon | infosec.exchange/@adamshostack________________________________Host: Alyssa MillerOn ITSPmagazine  

Guest: Adam ShostackOn Twitter | https://twitter.com/done_with_thatOn LinkedIn | https://www.linkedin.com/in/shostack/On Mastodon | infosec.exchange/@adamshostack________________________________Host: Alyssa MillerOn ITSPmagazine  

In this episode, we discuss the four-question framework for threat modeling with its creator, Adam Shostack. We dive deep into the meaning and purpose of each question and how they simplify the threat modeling process. The four questions are: 1) What are we working on? 2) What can go wrong? 3) What are we going to do about it? 4) Did we do a good job? Adam explains that these questions are not a methodology but a foundation for a more practical approach to threat modeling. We also discuss the importance of retrospectives, evolving the framework, and how it can be applied in various situations. Lean into the four questions, and you might become a threat modeling Jedi.

This week's episode is a late Star Wars ("May the 4th Be With You") celebration. We check out a couple interesting articles about security-related lessons embedded in the Star Wars movies, and Perry sits down with Adam Shostack, author of the new book, Threats: What Every Engineer Should Learn From Star Wars to discuss threat modeling principles using Star Wars related examples. Guest: Adam Shostack (LinkedIn) (Twitter) (Website) Books & References (Books are Amazon Associate links) Threats: What Every Engineer Should Learn From Star Wars, by Adam Shostack Threat Modeling: Designing for Security, by Adam Shostack Threat modeling videos from Adam Threat modeling and security-related games by Adam Adam's whitepapers BlackPoint: Learn Their Lesson, They Did Not Gary Hibbard LinkedIn post Perry's Books (Amazon Associate links) Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors, by Perry Carpenter The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer by Perry Carpenter & Kai Roer Perry's new show, Digital Folklore kicked-off Jan 16, 2023. Check out the website (https://digitalfolklore.fm/) to see our custom artwork, subscribe to the newsletter, check out our merch, Patreon, and more. Want to check out what others are saying? Here's some recent press about the show: https://digitalfolklore.fm/in-the-news Voice Acting for this episode: Darth Vader voice over artist: https://business.fiverr.com/freelancers/mistercorley Darth Vader breathing sound: https://www.youtube.com/watch?v=MBi01iy2db8&ab_channel=chefhawk Production Credits: Music and Sound Effects by Blue Dot Sessions, Envato Elements, Storyblocks, & EpidemicSound. 8Li cover art by Chris Machowski @ https://www.RansomWear.net/. 8th Layer Insights theme music composed and performed by Marcos Moscat @ https://www.GameMusicTown.com/ Want to get in touch with Perry? Here's how: LinkedIn Twitter Instagram Email: perry [at] 8thLayerMedia [dot] com

Join us on this week's Ask A CISO podcast where we sit with Adam Shostack, a leading threat modeling expert, consultant, entrepreneur, technologist, author, and game designer with host Jeremy Snyder, Founder and CEO of FireTail.io and Horangi Advisory Board member. They discuss dealing with threats in a comprehensive way, the core of threat modeling, and why everyone can and should threat model - and Adam's latest book 'Threats: What Every Engineer Should Learn From Star Wars' that was published earlier in January. - About Horangi Cybersecurity -- More information about the Ask A CISO podcast: https://www.horangi.com/resources/ask-a-ciso-podcast About Horangi Cyber Security: https://www.horangi.com - About the Guests -- Adam's LinkedIn: https://www.linkedin.com/in/shostack/ Adam's Website: https://shostack.org/

Adam Shostack is widely known in the cybersecurity world for his pioneering work on disclosing and discussing computer vulnerabilities (the CVE  (common vulnerabilities and exposures) list). He also helped formalize and train leading approaches to threat modeling and wrote the foundational book on the subject (Threat Modeling: Designing for Security). In this OODAcast we seek lessons from Adam's career and experiences (which range from startups to nearly a decade at Microsoft, as well as the Blackhat review board, as well as being an Affiliate Professor at University of Washington).  We then dive deep into Adam's most recent book, Threats: What Every Engineer Should Learn from Star Wars Just what does Star Wars have to do with security engineering? Turns out the movies are full of analogies that can really underscore the importance of good design and operational security. The very beginning of A New Hope shows a space fight where the empire is seeking to recover data from a breach. The carrier of that breached data, R2-D2, makes it to the planet below. But somehow knows not to show a special recording to Luke, only to Obi-Wan. That is some high end identity management and authorization there. From this lens Star Wars is not just a space western, it is a cyber espionage thriller. Adam uses the many analogies from Star Wars to make good engineering concepts more memorable and in doing so is doing us all a service. For more see: Adam Shostack on LinkedIn Threats: What Every Engineer Should Learn from Star Wars Threat Modeling: Designing for Security

Adam is one the biggest threat modeling experts in the world, he is an advisor, a lecturer, a game designer, and the author of multiple books, including "Threat Modeling: Designing for Security". His latest book “Threats: What Every Engineer Should Learn From Star Wars” is available now: https://www.amazon.com/Threats-Every-Engineer-Should-Learn/dp/1119895162#:~:text=In%20Threats%3A%20What%20Every%20Engineer,how%20to%20develop%20secure%20systems.During our conversation, Adam mentioned a book by Csikszenmihality, which can be found here:https://www.amazon.com/Finding-Flow-Psychology-Engagement-Everyday-ebook/dp/B086SVQ1MJ/ref=sr_1_1?crid=132R6QL2KYRZU&keywords=finding+flow&qid=1675723854&sprefix=finding+flow%2Caps%2C166&sr=8-1He also mentioned a book called "Don't Bother Me Mom", which can be found here: https://www.amazon.com/Dont-Bother-Me-Mom-Im-Learning/dp/1557788588

In this episode, Steve Bowcut's guest is Adam Shostack. In this discussion focused on Threat Modeling in Modern Software Development, Adam, a threat modeling expert, lends a unique and compelling perspective. Adam offers a glimpse into his work at Shostack & Associates and provides a high-level overview of threat modeling. Steve and Adam discuss the primary benefits of threat modeling, and listeners are provided with an insider's view of the process. Adam talks about his new book: Threats: What Every Engineer Should Learn From Star Wars, explaining why he wrote the book, its target audience, and some of the takeaways from the book. About our Guest Adam is a leading expert on threat modeling and a consultant, entrepreneur, technologist, author, and game designer. He's an Affiliate Professor at the University of Washington, a member of the BlackHat Review Board, and a Linkedin Learning Author. He currently helps many organizations improve their security via Shostack + Associates. Adam is the author of Threats: What Every Engineer Should Learn From Star Wars. Listen in to find answers to all your threat modeling questions.

Having a common framework around vulnerabilities, around threats, helps us understand the infosec landscape better. STRIDE provides an easy mnemonic. Adam Shostack has a new book, Threats: What Every Engineer Should Learn From Star Wars. that uses both Star Wars and STRIDE to help engineers under vulnerabilities and threats in software development. Adam has more than 20 years in the infosec world, and he even helped create the CVE system that we all use today.

In this episode, we talk about: Questions you should be asking to uncover information security threats early on in the design process. How to account for human behavior in a structured way as part of threat modeling (spoiler: this is not so different from what you are doing now). How to collaborate with an interdisciplinary team as part of an iterative design process to improve the user experience of security. Adam Stostack is an expert on threat modeling, having worked at Microsoft and currently running security consultancy Shostack + Associates. He is the author of The New School of Information Security, Threat Modeling: Designing for Security and the forthcoming Threats: What Every Engineer Should Learn From Star Wars. Adam's YouTube channel has entertaining videos that are also excellent resources for learning about threat modeling.

While many in the InfoSec industry try to be all things to all people, sometimes that just isn't a winning strategy? What is? Let's have a chat with Adam Shostack to find out.About the session, "A Fully Trained Jedi, You Are Not"As software organizations try to bring security earlier in the development processes, what can or should regular software or operations engineers know about security? Taking as given that we want them to build secure systems, that demands a shared understanding of the security issues that might come up, and agreement on what that body of knowledge might entail. Without this knowledge, they'll keep building insecure systems. With them, we can have fewer recurring problems that are trivially attackable.Training everyone at a firm is expensive. Even if the training content is free, people's time is not. If you have 1,000 people, one hour per person is half a person year (before any overhead). So there is enormous pressure to keep it quick, ensure it meets compliance standards like PCI, and … the actual knowledge we should be conveying is almost an afterthought. We need to design knowledge scaffolding and tiered approaches to learning, and this talk offers a structure and tools to get there.We don't need every developer to be a fully trained Jedi, and we don't have time to train everyone to that level or even as much as we train security champs. So what could we ask everyone to know, and how do we determine what meets that bar?Be sure to catch all of our conversations from Black Hat and DEF CON 2022 at https://www.itspm.ag/bhdc22____________________________GuestAdam ShostackPresident at Shostack & AssociatesOn LinkedIn | https://www.linkedin.com/in/shostack/On Twitter | https://twitter.com/adamshostack____________________________This Episode's SponsorsCrowdSec | https://itspm.ag/crowdsec-b1vpEdgescan | https://itspm.ag/itspegweb____________________________ResourcesSession | A Fully Trained Jedi, You Are Not: https://www.blackhat.com/us-22/briefings/schedule/#a-fully-trained-jedi-you-are-not-26650____________________________For more Black Hat and DEF CON  Event Coverage podcast and video episodes visit: https://www.itspmagazine.com/black-hat-2022-and-def-con-hacker-summer-camp-las-vegas-usa-cybersecurity-event-and-conference-coverageAre you interested in telling your story in connection with Black Hat and DEF CON by sponsoring our coverage?

While many in the InfoSec industry try to be all things to all people, sometimes that just isn't a winning strategy? What is? Let's have a chat with Adam Shostack to find out.About the session, "A Fully Trained Jedi, You Are Not"As software organizations try to bring security earlier in the development processes, what can or should regular software or operations engineers know about security? Taking as given that we want them to build secure systems, that demands a shared understanding of the security issues that might come up, and agreement on what that body of knowledge might entail. Without this knowledge, they'll keep building insecure systems. With them, we can have fewer recurring problems that are trivially attackable.Training everyone at a firm is expensive. Even if the training content is free, people's time is not. If you have 1,000 people, one hour per person is half a person year (before any overhead). So there is enormous pressure to keep it quick, ensure it meets compliance standards like PCI, and … the actual knowledge we should be conveying is almost an afterthought. We need to design knowledge scaffolding and tiered approaches to learning, and this talk offers a structure and tools to get there.We don't need every developer to be a fully trained Jedi, and we don't have time to train everyone to that level or even as much as we train security champs. So what could we ask everyone to know, and how do we determine what meets that bar?Be sure to catch all of our conversations from Black Hat and DEF CON 2022 at https://www.itspm.ag/bhdc22____________________________GuestAdam ShostackPresident at Shostack & AssociatesOn LinkedIn | https://www.linkedin.com/in/shostack/On Twitter | https://twitter.com/adamshostack____________________________This Episode's SponsorsCrowdSec | https://itspm.ag/crowdsec-b1vpEdgescan | https://itspm.ag/itspegwebPentera | https://itspm.ag/pentera-tyuw____________________________ResourcesSession | A Fully Trained Jedi, You Are Not: https://www.blackhat.com/us-22/briefings/schedule/#a-fully-trained-jedi-you-are-not-26650____________________________For more Black Hat and DEF CON  Event Coverage podcast and video episodes visit: https://www.itspmagazine.com/black-hat-2022-and-def-con-hacker-summer-camp-las-vegas-usa-cybersecurity-event-and-conference-coverageAre you interested in telling your story in connection with Black Hat and DEF CON by sponsoring our coverage?

In this episode, Matt Tesauro hosts Adam Shostack to talk about threat modeling - not only what it is but what Adam has learned from teaching numerous teams how to do threat modeling. Learn what makes a good threat model and some news about a new book from Adam to help further the spread of threat modeling with the end goal of more threat modeling and fewer security surprises. Enjoy! Show Links: - Threats Book site: https://threatsbook.com/ - Resources on Adam's website: https://shostack.org/resources

Josh and Kurt talk to Adam Shostack about his new book "Threats: What Every Engineer Should Learn From Star Wars". We discuss some of the lessons and threats in the Star Wars universe, it's an old code I hear. We also discuss if Star Wars is a better than Star Trek for teaching security (it probably is). It's a fun conversation and sounds like an amazing book. Show Notes Adam Shostack Adam's Website The book

Most people think about threat modeling as an extensive, costly and heavyweight exercise. But what if it didn't have to be? What if threat modeling could be as easy as asking and answering a few simple questions?    In today's episode, we speak with Adam Shostack about his simple four-question threat modeling framework. Adam's framework was developed based on 20+ years of threat modeling experience ranging from startups to more than a decade at Microsoft. He believes deeply that organizations must rethink their approach to threat modeling. In this episode, Adam walks through his framework and teaches us how we should all be approaching threat modeling.  Topics discussed in this episode: Why threat modeling shouldn't only be for organizations with large teams of application security engineers.  How to bridge the gap between the security team focused on threat modeling and the development/engineering team.  How security engineers can support and train their developers on how to incorporate threat modeling into their day-to-day work.  Where threat modeling should fit into your application security program priorities.  The surprising benefits that threat modeling brings — outside of knowing the risks that exist.  How most organizations let perfect be the enemy of good (and what they should be doing instead).  Resources Mentioned:  Shostack white paper — Fast, Cheap, and Good   Shostack 1 minute educational clips on Youtube   Showstack threat modeling resource 

Welcome back to season 2 of the We Hack Purple Podcast! In this episode host Tanya Janca  learns about Threat Modelling with guest Adam Shostack.  He covers his new white paper (Fast, Cheap and Good: An Unusual Tradeoff Available in Threat Modeling) about how to do threat modeling that is cheap, fast AND good! Adam's WhitePapers: https://shostack.org/resources/whitepapers  Adam's "New Thing" newsletter: https://shostack.org/contact Join the We Hack Purple Cyber Security Community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter!  Find us on Apple Podcast, Overcast + Pod 

In this Episode Diana, Sean, and Marco talk about: In this Episode Diana, Sean, and Marco talk about: Cybersecurity Threat Modeling? Why not use some of these principles in our daily life? We talk about it all with our guest - Adam Shostack | Birds Aren't Real, and they are government's drones spying on us - WHAT?! | Is this how SocialMedia manipulate users | The difference between zero-emission and net-zero | And then we get philosophical, again | Through The TechVine Radio Program Episode TwentyEightWe have officially decided to keep Through The TechVine a live recording but Radio Style. We just love old school radio too much!Apart from that, everything else is the usual Tech and Science Topics conversations, some good laughs, and a lot of WHAT IF?! 

Adam is a leading expert on threat modeling, and a consultant, expert witness, author and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft. While not consulting or training, Shostack serves as an advisor to a variety of companies and academic institutions. Adam joins us to talk about fast, cheap, and good threat models. We discuss how Adam defines these categories, the weight of threat modeling, questionnaires/requirements, expertise, and how to make threat modeling conversational. We hope you enjoy this conversation with...Adam Shostack.

The topic of today is threat modeling, a practice of identifying and prioritizing potential threats and security mitigations. Our guests are Anne Oikarinen from Nixu, and Nicolaj Græsholt from Eficode. Be sure to check out their profiles on Twitter and LinkedIn: - https://twitter.com/Anne_Oikarinen - https://www.linkedin.com/in/anne-oikarinen - https://twitter.com/figaw - https://www.linkedin.com/in/nicolajgraesholt Related links: Webinar with Bankdata: Compliance and security in the DevOps world https://hubs.li/H0NlrYx0 Books to read: Threat Modeling: Designing for Security, by Adam Shostack, Wiley: https://threatmodelingbook.com/ Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/ Evil user stories: https://www.nixu.com/fi/node/1639 Cyber Bogies card deck: https://github.com/nixu-corp/NixuCyberBogies Explanatory blog for the cards: https://www.nixu.com/fi/blog/gamify-your-threat-modeling-nixu-cyber-bogies Blogs: 1. Mitigate against tampering attacks - Secure your software delivery chain: https://hubs.li/H0NlsPR0 2. Privacy by design: where security meets usability: https://hubs.li/H0NlsTN0

We have three very special guests today. All come from different backgrounds but share a common interest in gaming - the kind that can be used to teach you things, like how to become better at handling security incidents or winning a historical insurrection. This podcast is sponsored by the We Hack Purple Academy.Volko Ruhnke is a renowned wargame designer and educator. He retired as a career analyst with the CIA and as an instructor for the Sherman Kent School for Intelligence Analysis which is responsible for training people in the intelligence community. While working there he became an acclaimed designer of commercial board games - best known for the COIN Series published by GMT Games. Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an advisor and mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. Hadas Cassorla is a security leader in the Portland area. She is the manager of security engineering and platform engineering at Simple Finance in Portland. She also does work with Hackback Gaming as an Incident Master (IM) running teams through dynamic role playing in tabletop incident response scenarios. Hadas is a recovering attorney too who took up improv after finishing law school. Volko Ruhnke, Adam Shostack and Hadas Cassorla are interviewed by David Quisenberry and John L. WhitemanLinks from the Show:Zenobia Award (Board Game Design Contest for Underrepresented Groups)HackBack GamingAdam Shostack's Home PageElevation of PrivilegePhilip Sabin - Simulating War: Studying Conflict through Simulation GamesJeremy Holcomb - The White BoxFollow us:HomepageTwitterMeetupLinkedInYouTube- Become an OWASP member- Donate to our Support the show (https://owasp.org/supporters/)

In this episode, Francesco and Adam Shostack discuss application security and threat modelling. Adam is the author of Threat Modeling: Designing for Security. He helped create CVE (Common Vulnerabilities and Exposure) and is on the review board for Black Hat. He encourages coders and computer engineers to work smarter, not harder. The podcast is brought to you by the generosity of NSC42 Ltd, your cybersecurity partner. Cybersecurity is a complex and different for every organization, and you need the best-tailored service to make sure your customer's data is safe and sound so that you can focus on what's important, focusing on your clients and bringing the best and safest experience.    1:00 Introducing Adam Shostack 6:00 CVE (Common Vulnerabilities and Exposure) 9:46 Finding satisfaction in a job in security 15:00 Frameworks and static analysis 21:22 Threat Modeling 24:50 Work smarter, not harder 29:12 Documentation in DevOps 34:08 4 questions in Threat Modeling 41:32 Positive Message Links Adam Shostack https://adam.shostack.org Twitter @adamshostack https://threatmodelingbook.com https://www.blackhat.com Cyber Security and Cloud Podcast #CSCP http://cybercloudpodcast.com #cybermentoringmonday

All links and images for this episode can be found on CISO Series (https://cisoseries.com/security-is-suffering-from-devops-fomo/) Darn it. DevOps is having this awesome successful party and we want in! We've tried inserting ourselves in the middle (DevSecOps) and we launched a pre-party (shift left), but they still don't like us. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Dayo Adetoye (@dayoadetoye), senior manager - security architecture and engineering, Mimecast. Thanks to our sponsor, Capsule8. Capsule8 is defining modern enterprise protection by providing detection and response for Linux infrastructure in any environment. Capsule8 provides host-based detection and investigatory data for incident response with on-going support. Unlike anyone else, Capsule8 mitigates the financial, scalability and reliability limitations of protecting your Linux infrastructure. On this week’s episode Are we making the situation better or worse? What makes a successful phish? On Sophos' blog Paul Ducklin writes about their most successful phishing emails. Ducklin noted that most of the successful phishes dealt with mundane and undramatic issues that still had a sense of importance. Looking at these examples they do seem to follow a similar pattern of something looking official that is being requested from the company and could you click here to check it out. Is that the majority of what you're testing? If so, what exactly is the value in conducting phishing tests on employees? Can the testing have a negative effect in security or even morale? There’s got to be a better way to handle this What is the right approach to threat modeling? In a blog post, Chris Romeo of Security Journey opines that formal training or tools won't work. Security needs to ask questions of developers about features and then show them how a threat evolves, thus allowing them to ultimately do it themselves. Adam Shostack of Shostack and Associates advocates for formal training. He says Romeo's informal approach to threat modeling sounds attractive, but doesn't work because you're trying to scale threat modeling across developers and if you tell one developer the information it's going to be passed down like a game of telephone where each successive person tells a distorted version of what the last person said. So what's the right approach to building threat models across a DevOps environment? What's Worse?! What's the worst place to find your company assets? Close your eyes and visualize the perfect engagement Shifting Left. DevSecOps, These are the mechanisms that have been used to infuse security into the DevOps supply chain. While noble, both concepts break the philosophy and structure of DevOps which is based on automation, speed, and delivery. But, DevOps is also about delivering quality. So rather than inserting themselves, how does security participate in a way that DevOps already loves? If you haven’t made this mistake, you’re not in security On AskNetSec on reddit, Triffid-oil asked, "What was something that you spent effort learning and later realized that it was never going to be useful?" And let me add to that, it's something either someone told you or you believed for some reason it was critical for your cybersecurity education and you later realized it wasn't valuable at all.

Threat modeling is a key to securing businesses, governments and individuals in a hacker-happy world. Its principles can be applied to disaster risk reduction (DRR), climate change adaptation (CCA) & other fields. Listen to Cybersecurity expert Adam Shostack in "Cybersecurity, Threat Modeling & in an Up & Down World" (Multi-Hazards Podcast S02 E19). Check out the Study Guide, click on the top left "PDF": https://multi-hazards.libsyn.com/cybersecurity-threat-modeling-in-an-up-down-world-conversation-with-adam-shostack Adam Shostack Bio Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the Common Vulnerabilities and Exposures (CVE) system and many other things. He currently helps many organisations improve their security via Shostack & Associates, and advises startups including as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the Security Development Lifecycle (SDL) Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. If you'd like help threat modeling, or engineering more secure systems in general, take a look at his consulting pages at https://adam.shostack.org.

ITSPmagazine | Conversations At the Intersection of Technology, Cybersecurity, and Society. The Unusual Gatherings Talk Show A few years ago, we decided to set up camp at a crossroads where people from a wide variety of backgrounds, cultures, and professions happen to walk by. We invite them to stop, rest a bit, and join our conversations — most of them gladly do. We call these encounters Unusual Gatherings. Co-Host: Diana Kelley Guest: Adam Shostack Hosts: Sean Martin | Marco Ciappelli Threat Modeling Technology, Business, Humans, and Society Threats? What? When? Why? I'll worry when and if the time comes. And life goes on smoothly as usual — until it doesn't. We invited our friend Diana Kelley to join us once more on our talk show, Unusual Gatherings, but instead of being the guest, she would be our co-host bringing a guest of her choosing. She knows we like to talk about technology and humanity, and that we love time traveling through the past, present, and future of this weird relationship -- and to get philosophical about it too. So she invited Adam Shostack to be her guest on the show. What a perfect choice. He wrote THE BOOK on Threat Modeling and can apply that way of thinking to software, technological systems, business, organizations, complex systems, social media, news manipulations, CyberSecurity, social engineering, group sociology, animal behaviors, everything that makes us humans, our relationships, and our society as a whole — pretty much, life. What are we working on? What can go wrong? What are we going to do about it? And did we do a good job? If you think about it for a second, these actually have nothing to do with technology. You can apply them anywhere. Truth? We're all faced with different threats every day, and probably most of us don't even realize it. Bigger truth? "If you want to avoid problems and don't have donuts, you have a problem." Listen up, and it will all make sense. Well, most of it. __________________________________ For more Unusual Gatherings: www.itspmagazine.com/unusual-gatherings __________ Interested in sponsoring an ITSPmagazine Channel? Visit: www.itspmagazine.com/talk-show-sponsorships

Adam Shostack of Shostack & Associates and author of Threat Modeling: Designing for Security discussed different approaches to threat modeling, the multiple benefits it can provide, and how it can be added to an organization’s existing software proc

Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author and game designer. He has taught threat modeling at a wide range of commercial, non-profit and government organizations. Adam joins us to discuss his new white paper called the Jenga View of Threat Modeling. For season 7 and beyond, we've launched [...] The post Adam Shostack — The Jenga View of Threat Modeling appeared first on Security Journey Podcasts.

Today's guest on Cyber Security Matters is Adam Shostack. After working at Microsoft for close to 10 years, solving important security problems and influencing the design of products such as Microsoft Windows, Office & Xbox, Adam became a cyber security advisor for startups and SMBs. Adam speaks in plain language about his simple approach to cyber security, using models to help non-technical business decision makers think about cyber security. He leads organizations to ask: What are we working on? What can go wrong? What can we do about it? Did we do a good job? Using Zoom as a recent example, Adam explains that the lesson to learn is to shift the cyber security conversation to the beginning of building and securing products, services and business processes. Pay the cyber security debt early on (do security by design vs. bolting it on after the fact) so that you don't have to be paying it over and over again down the road and end up paying so much more than what was necessary. --- Cyber Security Matters is a partnered program of Conversations That Matter. This show is produced by Oh Boy Productions, video production, podcast and vidcast specialists located in Vancouver. To find out more, go to http://www.ohboy.ca #cybersecurity #computers #cybersec

Adam joins us to discuss remote threat modeling, and we do a live threat modeling exercise to figure out how remote threat modeling actually works. If you want to see the screen share as we figure out remote threat modeling, check out the Youtube version of the episode. Bio: Adam Shostack is a leading expert [...] The post Adam Shostack — Remote Threat Modeling appeared first on Security Journey Podcasts.

Adam Shostack's reputation speaks for itself. A renowned threat modelist, Adam is a consultant, entrepreneur, technologist, game designer, and educator. Among his many achievements, he helped launch the CVE, drove the Autorun fix into Windows Update, and authored the foundational text on threat modeling. He joined our podcast to discuss the history of information security, his triumphs and challenges in computer science, how he sees technology changing, and where interpersonal skills play a critical role in the field.

Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things.He currently helps many organizations improve their security via Shostack & Associates, and advises startups, including as a Mach37 Star Mentor.While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.Adam is interviewed by David Quisenberry, Ben Pirkl and John L. WhitemanSupport the show (https://www.owasp.org/index.php/Membership#tab=Other_ways_to_Support_OWASP)

Sam spoke with Adam Shostack about being an entrepreneur, technologist, author and game designer, focused on improving security outcomes for customers and the industry as a whole. Adam has created a wide variety of companies and organizations, software, new analytic frameworks, as well as books, games and other forms of communication at startups and at […] The post S2:E5 Adam Shostack – Consultant and advisor delivering strategic security and privacy innovation appeared first on Malicious Life.

Threat modeling, secrets, mentoring, self-care, program building, and much more. Clips from Georgia Weidman, Simon Bennetts, Izar Tarandach, Omer Levi Hevroni, Tanya Janca, Björn Kimminich, Caroline Wong, Adam Shostack, Steve Springett, Matt McGrath, Brook Schoenfield, and Ronnie Flathers. The post Season 5 Finale — A cross section of #AppSec appeared first on Security Journey Podcasts.

Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups. Adam is known for his [...] The post Adam Shostack — Threat modeling layer 8 and conflict modeling appeared first on Security Journey Podcasts.

If you've done anything with threat modeling, you've heard of Adam Shostack. We asked him the question, "why would anyone threat model?". The post Adam Shostack – Threat Modeling – 5 Minute AppSec appeared first on Security Journey Podcasts.

What am I working on? What can go wrong? What am I going to do about it? Did I do a good job? These are the four questions at the heart of threat modeling In this episode, I speak with Adam Shostack, author of Threat Modeling: Designing for Security. We talk through how to begin threat modeling and the expectations of using modeling. Adam walks through the history of threat modeling, including his creation of the Elevation of Privilege game.

Adam Shostack is the author of the book titled Threat Modeling: Designing for Security (Wiley, 2014). He also is a co-author of The New School of Information Security (Addison-Wesley, 2008). Adam is a veteran in the cyber security industry having spent over eight years with Microsoft where he focused on threat model tools and techniques. In this episode Ron and Adam discuss the ROI of threat modeling as well as address the fear security practitioners sometimes have with the agile development process. Adam leaves us with his top three items business leaders must know! Don't miss it. Reach Adam on Twitter:@adamshostack Threat Modeling Book:https://threatmodelingbook.com

My guest today is Adam Shostack. Adam is a consultant, entrepreneur, technologist, game designer, and author of the book Threat Modelling: Designing for Security. I invited Adam to talk security and discuss a concept he designed that is called threat modelling. I love thee simplicity of the concept and appreciate the fact that Adam understands the complexity of security and was able to distill it into an actionable security program. Our conversation is versatile, covering technical areas and goes up to the board level. If you have an interest in making security simple, and if your instinct tells you that defense is the new offence, you will enjoy listening to this podcast episode. Major Take-Aways From This Episode: What is Threat Modelling and why CIOs need to do it? The definition of STRIDE Concept. What are the common traps associated with STRIDE? How does Threat Modelling differ from the similar government-style programs? What questions you need to ask when you threat model? Why is it important for CIOs to threat model and how does it help with communication at the board level? About Adam Shostack Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped found the CVE and many other things. He's currently helping a variety of organizations improve their security, and advising startups as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. Read full transcript here. How to get in touch with Adam Shostack LinkedIn Twitter Key Resources: More information about Adam Shostack can be found at his website: https://adam.shostack.org/ Threat Modelling: Designing for Security, Adam Shostack Checklist Manifesto, Atul Gawande Leave a Review If you enjoyed this episode, then please consider leaving an iTunes review here Click here for instructions on how to leave an iTunes review if you're doing this for the first time. Credits: * Outro music provided by Ben’s Sound Other Ways To Listen to the Podcast iTunes | Libsyn | Soundcloud | RSS | LinkedIn   About Bill Murphy Bill Murphy is a world renowned IT Security Expert dedicated to your success as an IT business leader. Follow Bill on LinkedIn and Twitter.

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3 Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly. We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using. Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use.   Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto).   RSS: http://www.brakeingsecurity.com/rss Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2  #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast   Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/       SHOW NOTES:   Ideas and suggestions here:   Start with “What is threat modeling?”   What is it, why do people do it, why do organizations do it? What happens when it’s not done effectively, or at all?   At what point in the SDLC should threat modeling be employed? Planning? Development? Can threat models be modified when new features/functionality gets added? Otherwise, are these just to ‘check a compliance box’? Data flow diagram (example) -   process flow External entities Process Multiple Processes Data Store Data Flow Privilege Boundary   Classification of threats- STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security) DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model) PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf Trike -  http://octotrike.org/   https://en.wikipedia.org/wiki/Johari_window   Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf   Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303   NIST CyberSecurity Framework: https://www.nist.gov/cyberframework   Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon Emergent Design:  https://adam.shostack.org/blog/2017/10/emergent-design-issues/   https://www.researchgate.net/profile/William_Yurcik/publication/228634178_Threat_Modeling_as_a_Basis_for_Security_Requirements/links/02bfe50d2367e32088000000.pdf   Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source)   Adam’s Threat modeling book http://amzn.to/2z2cNI1 -- sponsored link https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=mt_paperback?_encoding=UTF8&me=   Is the book still applicable? New book   What traps do people fall into?  Attacker-centered, asset-centered approaches Close with “how do I get started on threat modeling?” SecShoggoth’s Class “intro to Re” Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model

On this episode, Robert and I are joined by Adam Shostack (@adamshostack). Adam is a well known speaker and thought leader in the world of application security. We speak with Adam about how to connect with development teams. This all started about a year ago, when Adam tackled the issue of thinking like a hacker, [...] The post Interview: Think like an Attacker or Accountant? (S01E16) – Application Security PodCast appeared first on Security Journey Podcasts.

How do you look at the potential security threats in your organization? Richard talks to Robert Hurlbut about threat modeling. Robert talks out talking about we all threat model in our day-to-day lives, after all, we put locks on doors and windows for a reason. But when applied to technology, things get more complex. Are you resisting specific attacks or casual hackers? How much security is enough? Robert references the book Threat Modeling by Adam Shostack and the acronym STRIDE: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation as an approach to planning the overall threat models to your software, systems and organization.

This episode introduces the new Microsoft Threat Modeling Tool 2014.  No more requirement for Visio..  woohoo.   Lots of talk about threat modeling and its benefits.   Threat Modeling Tool 2014: http://download.microsoft.com/download/3/8/0/3800050D-2BE7-4222-8B22-AF91D073C4FA/MSThreatModelingTool2014.msi   Threat Modeling (book by Adam Shostack): http://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/

Kurt Baumgartner of Kaspersky Labs joins us to talk about Red October, a research paper that he co-authored, along with the other areas that he works on at Kaspersky. It's time for another Drunken Security News. Much of the gang was on the road this week so Patrick Laverty sat in with Paul and Engineer Steve for the show, plus Jack's epic beard called in via Skype from lovely Maryland. First, Paul admitted it was a stretch to bring this into a security context but he wanted to talk about an article that he found in The Economist (via Bruce Schneier) about one theory that if the US would simply be nicer to terrorists, release them from Guantanamo Bay, Cuba and stop hunting them down around the world, that they would in turn be nicer to us. Also, fewer would pop up around the world. The thinking is that jailing and killing them turns others into terrorists. So here's the leap. Can the same be said for black hat hackers? If law enforcement agencies stop prosecuting the hackers, will they be nicer and will there be fewer of them? I think we all came to the same conclusion. "Nah." Paul also found an Adam Shostack article about how attention to the tiniest details can be important to the largest degree. The example given was the vulnerability to the Death Star in the original Star Wars movie was so small and the chances of it being exploited were so remote that the Empire overlooked it, Grand Moff Tarkin even showing his arrogance shortly before his own demise. The same can be said for our systems. It might be a tiny hole and maybe you think that no one would look for it and even if they do, what are the chances they both find it and exploit it? In some cases, it can have quite dire consequences. The Empire overlooked a small vulnerability that they shouldn't have. Are you doing the same with your systems? Did we happen to mention that Security BSides Boston is May 18 at Microsoft NERD in Cambridge, MA and Security BSides Rhode Island is June 14th and 15th in Providence, RI. Good seats and good conference swag are still available. We all hope to see you there! The Onion's Twitter account was breached by the Syrian Electronic Army and they handled it a way that only The Onion can, making light of both themselves and the SEA. Additionally, possibly for the first time ever, The Onion published a non-parody post about exactly how the breach occurred. Additionally, the National Republican Congressional Committee (NRCC) web site got spam hacked/defaced with Viagra ads. The only thing we were wondering is, are we sure it was hacked and not just a convenient online pharmacy for their members? A new whitepaper was released from MIT talking about "Honeywords". The problem being solved here is creating a way for server admins to know sooner when a passwords file has been breached on a server. In addition to the correct password, this new system would add a bunch of fake passwords as well. When the attacker starts trying usernames and passwords, if they use one of the fake passwords, the server admin would be notified that someone is doing that and it is very likely that the passwords file has been breached. It's an interesting concept to ponder. Jack had an article from Dennis Fisher at Threatpost, asking the question about what's the point of blaming various people for cyberespionage if we don't have a plan to do something about it. The NSA also has its own 643 page document telling its members how to use Google to find things like Excel documents in Russian that contain the word "login". Wait, I feel like I've heard of this somewhere before. Oh yeah, that's right. Johnny Long was talking about Google Hacking at least as far back as 2007. It's just interesting some times to see things that the media gets wind of and without the slightest bit of checking, thinks something is "new".

Synopsis Greetings fans, this episode promises to be a great one with the likes of Adam Shostack starting off talking about what the whole concept of "New School Security" is all about, and how it differs from the way we've all done it for the past 15+ years.  Adam and I talked through some new interesting ideas for moving the information security community and discipline forward, and even commented on how we can start to overcome the security community's focus on 'secrecy' when things go wrong.  How do security professionals understand what the desired outcomes should be, then start to move towards implemting pragmatic approaches to move closer to those desired outcomes - because in the end it's really about business and getting it done, not about 'security'. You will be sorry if you miss this episode! Guest Adam Shostack - Adam Shostack is a principal program manager on the Usable Security team in Trustworthy Computing. As part of ongoing research into classifying and quantifying how Windows machines get compromised, he recently led the drive to change Autorun functionality on pre-Win7 machines; the update has so far improved the protection of nearly 400 million machines from attack via USB. Prior to Usable Security, he drove the SDL Threat Modeling Tool and the Elevation of Privilege threat modeling game as a member of the SDL core team. Before joining Microsoft, Adam was a leader of successful information security and privacy startups, and helped found the CVE, the Privacy Enhancing Technologies Symposium and the International Financial Cryptography Association. He is co-author of the widely acclaimed book, The New School of Information Security. Links Adam on Twitter: @AdamShostack The New School Security blog: http://newschoolsecurity.com/

Tune in to Paul's Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel. Adam Shostack Interview: Drunken Security News Weekly #277: Episode 277 Show Notes Episode 277 - Direct Audio Download (mp3) Episode Hosts: Paul Asadoorian, Host of Security Weekly and Stogie Geeks Larry Pesce, Host of Hack Naked At Night John Strand, Host of Hack Naked TV Carlos Perez, Security Weekly Espanol Audio Feeds: Video Feeds:

In the last year, there have been 45 security incidents compromising the personal information of 9.3 million individuals. What can we do given our current situation? How are we going to successfully secure personal information moving forward? This panel will discuss the future of personal information and its implications on privacy. Joseph Ansanelli is CEO of Vontu, a software company focused on the insider threat. Joseph has spoken to Congress twice in the past twelve months as an advocate of privacy and consumer data standards. Mr. Ansanelli has successfully co-founded and led two other companies and has an extensive track record of developing innovative solutions into successful companies. His first venture, Trio Development's Claris Organizer, was ultimately acquired by Palm, Inc. Mr. Ansanelli holds four patents and received a B.S. in Applied Economics from the Wharton School at the University of Pennsylvania Rich Baich, CISSP, CISM, Chief Information Security Officer, ChoicePoint. Mr. Baich has been working in the Information Security Business for over 10 years and has extensive experience working with government and commercial executives providing risk management and consultative council while developing, improving and implementing security architecture, solutions and policies. He has held security leadership positions as the Cryptolog Officer for the National Security Agency (NSA), Sr. Director Professional Services at Network Associates (now McAfee) and after 9/11 as the Special Assistant to the Deputy Director for the National Infrastructure Protection Center (NIPC) at the Federal Bureau of Investigation (FBI). Rich is the author of a security executive leadership guidebook, Winning as a CISO. The book is the first-of-its-kind to detail and provide the roadmap to transform security executives from a technical and subject matter expert to a comprehensive well-rounded business executive. He holds a BS from United States Naval Academy, MBA / MSM from University of Maryland University College, and has been awarded the National Security Telecommunications and Information Systems Security (NSTISSI) 4011 Certification and the NSA sponsored Information Systems Security (INFOSEC) Assessment Methodology (IAM) Certification. Adam Shostack is a privacy and security consultant and startup veteran. Adam worked at Zero-Knowledge building and running the Evil Genius group of advanced technology experts, building prototypes and doing research into future privacy technologies, including privacy enhancing networks, credentials, and electronic cash. He has published papers on the security, privacy, as well as economics, copyright and trust. Shostack sits on the Advisory Board of the Common Vulnerabilities and Exposures initiative, the Technical Advisory Board of Counterpane Internet Security, Inc and others. Adam is now an independent consultant. Paul Proctor is a vice president in the security and risk practice of Gartner Research. His coverage includes Legal and Regulatory Compliance, Event Log Management, Security Monitoring (Host/Network IDS/IPS), Security Process Maturity Risk Management Programs, Forensics and Data Classification. Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.

In the last year, there have been 45 security incidents compromising the personal information of 9.3 million individuals. What can we do given our current situation? How are we going to successfully secure personal information moving forward? This panel will discuss the future of personal information and its implications on privacy. Joseph Ansanelli is CEO of Vontu, a software company focused on the insider threat. Joseph has spoken to Congress twice in the past twelve months as an advocate of privacy and consumer data standards. Mr. Ansanelli has successfully co-founded and led two other companies and has an extensive track record of developing innovative solutions into successful companies. His first venture, Trio Development's Claris Organizer, was ultimately acquired by Palm, Inc. Mr. Ansanelli holds four patents and received a B.S. in Applied Economics from the Wharton School at the University of Pennsylvania Rich Baich, CISSP, CISM, Chief Information Security Officer, ChoicePoint. Mr. Baich has been working in the Information Security Business for over 10 years and has extensive experience working with government and commercial executives providing risk management and consultative council while developing, improving and implementing security architecture, solutions and policies. He has held security leadership positions as the Cryptolog Officer for the National Security Agency (NSA), Sr. Director Professional Services at Network Associates (now McAfee) and after 9/11 as the Special Assistant to the Deputy Director for the National Infrastructure Protection Center (NIPC) at the Federal Bureau of Investigation (FBI). Rich is the author of a security executive leadership guidebook, Winning as a CISO. The book is the first-of-its-kind to detail and provide the roadmap to transform security executives from a technical and subject matter expert to a comprehensive well-rounded business executive. He holds a BS from United States Naval Academy, MBA / MSM from University of Maryland University College, and has been awarded the National Security Telecommunications and Information Systems Security (NSTISSI) 4011 Certification and the NSA sponsored Information Systems Security (INFOSEC) Assessment Methodology (IAM) Certification. Adam Shostack is a privacy and security consultant and startup veteran. Adam worked at Zero-Knowledge building and running the Evil Genius group of advanced technology experts, building prototypes and doing research into future privacy technologies, including privacy enhancing networks, credentials, and electronic cash. He has published papers on the security, privacy, as well as economics, copyright and trust. Shostack sits on the Advisory Board of the Common Vulnerabilities and Exposures initiative, the Technical Advisory Board of Counterpane Internet Security, Inc and others. Adam is now an independent consultant. Paul Proctor is a vice president in the security and risk practice of Gartner Research. His coverage includes Legal and Regulatory Compliance, Event Log Management, Security Monitoring (Host/Network IDS/IPS), Security Process Maturity Risk Management Programs, Forensics and Data Classification. Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.