Podcasts about shostack

  • 12PODCASTS
  • 16EPISODES
  • 54mAVG DURATION
  • ?INFREQUENT EPISODES
  • Feb 12, 2025LATEST

POPULARITY

20172018201920202021202220232024


Best podcasts about shostack

Latest podcast episodes about shostack

CERIAS Security Seminar Podcast
Adam Shostack, Risk is Not Axiomatic

CERIAS Security Seminar Podcast

Play Episode Listen Later Feb 12, 2025 64:25


This talk will look at how systems are secured at a practical engineering level and the science of risk. As we try to engineer secure systems, what are we trying to achieve and how can we do that? Modern threat modeling offers some practical approaches we can apply today. The limits of those approaches are important, and we'll look at how risk management seems to be treated as an axiom, some history of risk as a discipline, and how we might use that history to build better risk management processes. About the speaker: Adam is the author of Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn from Star Wars. He's a leading expert on threat modeling, a consultant, expert witness, and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft.His accomplishments include:Helped create the CVE. Now an Emeritus member of the Advisory Board.Fixed Autorun for hundreds of millions of systemsLed the design and delivery of the Microsoft SDL Threat Modeling Tool (v3)Created the Elevation of Privilege threat modeling gameCo-authored The New School of Information SecurityBeyond consulting and training, Shostack serves as a member of the Blackhat Review Board, an advisor to a variety of companies and academic institutions, and an Affiliate Professor at the Paul G. Allen School of Computer Science and Engineering at the University of Washington.

Brilliance Security Magazine Podcast
Threat Modeling in Modern Software Development

Brilliance Security Magazine Podcast

Play Episode Listen Later Feb 6, 2023 23:45


In this episode, Steve Bowcut's guest is Adam Shostack. In this discussion focused on Threat Modeling in Modern Software Development, Adam, a threat modeling expert, lends a unique and compelling perspective. Adam offers a glimpse into his work at Shostack & Associates and provides a high-level overview of threat modeling. Steve and Adam discuss the primary benefits of threat modeling, and listeners are provided with an insider's view of the process. Adam talks about his new book: Threats: What Every Engineer Should Learn From Star Wars, explaining why he wrote the book, its target audience, and some of the takeaways from the book. About our Guest Adam is a leading expert on threat modeling and a consultant, entrepreneur, technologist, author, and game designer. He's an Affiliate Professor at the University of Washington, a member of the BlackHat Review Board, and a Linkedin Learning Author. He currently helps many organizations improve their security via Shostack + Associates. Adam is the author of Threats: What Every Engineer Should Learn From Star Wars. Listen in to find answers to all your threat modeling questions.

Too Opinionated
Too Opinionated Interview #288: Stu Shostack

Too Opinionated

Play Episode Listen Later Apr 28, 2022 63:04


Today on Too Opinionated we visit with Television historian, archivist and podcast pioneer Stu Shostack!  Award-winning filmmaker CJ Wallis' latest documentary STU'S SHOW, chronicling the relationship between legendary actress Lucille Ball and TV historian Stu Shostak, premieres on digital May 2, 2022 from Upstream Flix. The story of TV historian and archivist Stu Shostak, the documentary features screen-legends Tony Dow (“Leave it to Beaver”), Michael Cole ("The Mod Squad"), the late Ed Asner (“Lou Grant”), Butch Patrick (“The Munsters”), Academy Award Winner Margaret O'Brien, Geri Jewell and many, many more. Shostak got his start handing out tickets to Norman Lear sitcom tapings to people in Hollywood and parlayed that into doing audience warm-ups prior to tapings for shows such as “All In The Family” and “One Day At A Time”. The film also indirectly tells the story of television legend Lucille Ball who, contrast to popular belief, was an extremely kind and generous person who treated those around her like family. Ball is hired to hold Q&A's at a Los Angeles based College which provides a window of opportunity that alters the course of Stu's life. Shostak's encyclopedic knowledge of Ball's career earns his way into becoming an essential part of her small inner circle as her archivist and assistant to her husband Gary Morton. After Ball passes away, Shostak pioneers what we know now as “podcasting”, hosting internet shows interviewing celebrity cast and crew of the golden age of television. He also co-produces the widely successful LOVING LUCY conventions which welcomed prior cast, crew and superfans from around the world to come together for a few days to celebrate their love of I Love Lucy. At one of these Loving Lucy conventions Stu meets Jeanine Kasun, a music teacher and Lucy super-fan, who noticed Shostak hosting game shows, events and trivia contests. The two speak on the phone at length and eventually begin dating until Jeanine suffers a brain aneurysm and the two, alongside the legends of television, enter into a war with the medical industry to keep her alive. STU'S SHOW will be available on major digital platforms May 2. Want to Preorder: https://itunes.apple.com/us/movie/stus-show/id1620465541 Want to Watch: YouTube Meisterkhan Pod (Please Subscribe)

Chatting About College
"Syracuse Maker Faire" Coming to Onondaga Community College

Chatting About College

Play Episode Listen Later Feb 4, 2022 10:21


Onondaga Community College's SRC Arena will host Central New York's inaugural Maker Faire Syracuse this spring. The event will be held Saturday, April 2 from 10 a.m. to 4 p.m. The event is expected to attract more than 150 "makers" and 1,000 attendees.A Maker Faire is a gathering of fascinating, curious people who enjoy learning and who love sharing what they can do. From engineers to artists to scientists to crafters, Maker Faire is a venue for these "makers" to show hobbies, experiments, and projects.The Call for Makers is now open! Organizers are looking for DIYers, hobbyists, tinkerers, crafters, scientists, robotics experts, artists, cosplayers, and more. Anyone interested in participating can sign up at this link no later than March 1.Tickets for Maker Faire Syracuse are on sale. More information is available on the event ticket page.Volunteers are needed to help make the event a huge success. Information on specific roles is available at the event volunteer page.Maker Faire Syracuse is presented by OCC and the Technology Alliance of Central New York. The Maker Faire Syracuse planning committee includes members from many local organizations and higher education institutions including Syracuse University, Le Moyne College, OCM BOCES, Central New York Library Resource Council, and several librarians and staff members from the Onondaga County Public Libraries system. The event is being co-produced by Mike Cimino of the Fayetteville Free Library and Pauline Shostack of Onondaga Community College's Coulter Library.Shostack is our guest on this edition of our podcast, "Chatting About College." Enjoy the podcast!

Application Security PodCast
Adam Shostack -- Fast, cheap and good threat models

Application Security PodCast

Play Episode Listen Later Dec 15, 2021 31:22


Adam is a leading expert on threat modeling, and a consultant, expert witness, author and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft. While not consulting or training, Shostack serves as an advisor to a variety of companies and academic institutions. Adam joins us to talk about fast, cheap, and good threat models. We discuss how Adam defines these categories, the weight of threat modeling, questionnaires/requirements, expertise, and how to make threat modeling conversational. We hope you enjoy this conversation with...Adam Shostack.

Open Web Application Security Project (OWASP) - Portland, Oregon Chapter
Volko Ruhnke, Adam Shostack and Hadas Cassorla - Building Games to Teach Real-World Security

Open Web Application Security Project (OWASP) - Portland, Oregon Chapter

Play Episode Listen Later Jan 23, 2021 68:59


We have three very special guests today. All come from different backgrounds but share a common interest in gaming - the kind that can be used to teach you things, like how to become better at handling security incidents or winning a historical insurrection. This podcast is sponsored by the We Hack Purple Academy.Volko Ruhnke is a renowned wargame designer and educator. He retired as a career analyst with the CIA and as an instructor for the Sherman Kent School for Intelligence Analysis which is responsible for training people in the intelligence community. While working there he became an acclaimed designer of commercial board games - best known for the COIN Series published by GMT Games. Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an advisor and mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. Hadas Cassorla is a security leader in the Portland area. She is the manager of security engineering and platform engineering at Simple Finance in Portland. She also does work with Hackback Gaming as an Incident Master (IM) running teams through dynamic role playing in tabletop incident response scenarios. Hadas is a recovering attorney too who took up improv after finishing law school. Volko Ruhnke, Adam Shostack and Hadas Cassorla are interviewed by David Quisenberry and John L. WhitemanLinks from the Show:Zenobia Award (Board Game Design Contest for Underrepresented Groups)HackBack GamingAdam Shostack's Home PageElevation of PrivilegePhilip Sabin - Simulating War: Studying Conflict through Simulation GamesJeremy Holcomb - The White BoxFollow us:HomepageTwitterMeetupLinkedInYouTube- Become an OWASP member- Donate to our Support the show (https://owasp.org/supporters/)

CISO-Security Vendor Relationship Podcast
Security Is Suffering From DevOps FOMO

CISO-Security Vendor Relationship Podcast

Play Episode Listen Later Sep 22, 2020 33:28


All links and images for this episode can be found on CISO Series (https://cisoseries.com/security-is-suffering-from-devops-fomo/) Darn it. DevOps is having this awesome successful party and we want in! We've tried inserting ourselves in the middle (DevSecOps) and we launched a pre-party (shift left), but they still don't like us. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Dayo Adetoye (@dayoadetoye), senior manager - security architecture and engineering, Mimecast. Thanks to our sponsor, Capsule8. Capsule8 is defining modern enterprise protection by providing detection and response for Linux infrastructure in any environment. Capsule8 provides host-based detection and investigatory data for incident response with on-going support. Unlike anyone else, Capsule8 mitigates the financial, scalability and reliability limitations of protecting your Linux infrastructure. On this week’s episode Are we making the situation better or worse? What makes a successful phish? On Sophos' blog Paul Ducklin writes about their most successful phishing emails. Ducklin noted that most of the successful phishes dealt with mundane and undramatic issues that still had a sense of importance. Looking at these examples they do seem to follow a similar pattern of something looking official that is being requested from the company and could you click here to check it out. Is that the majority of what you're testing? If so, what exactly is the value in conducting phishing tests on employees? Can the testing have a negative effect in security or even morale? There’s got to be a better way to handle this What is the right approach to threat modeling? In a blog post, Chris Romeo of Security Journey opines that formal training or tools won't work. Security needs to ask questions of developers about features and then show them how a threat evolves, thus allowing them to ultimately do it themselves. Adam Shostack of Shostack and Associates advocates for formal training. He says Romeo's informal approach to threat modeling sounds attractive, but doesn't work because you're trying to scale threat modeling across developers and if you tell one developer the information it's going to be passed down like a game of telephone where each successive person tells a distorted version of what the last person said. So what's the right approach to building threat models across a DevOps environment? What's Worse?! What's the worst place to find your company assets? Close your eyes and visualize the perfect engagement Shifting Left. DevSecOps, These are the mechanisms that have been used to infuse security into the DevOps supply chain. While noble, both concepts break the philosophy and structure of DevOps which is based on automation, speed, and delivery. But, DevOps is also about delivering quality. So rather than inserting themselves, how does security participate in a way that DevOps already loves? If you haven’t made this mistake, you’re not in security On AskNetSec on reddit, Triffid-oil asked, "What was something that you spent effort learning and later realized that it was never going to be useful?" And let me add to that, it's something either someone told you or you believed for some reason it was critical for your cybersecurity education and you later realized it wasn't valuable at all.

Beyond Reality Paranormal Podcast
Search fir Intelligence in Space - Seth Shostack - BRR CLASSIC

Beyond Reality Paranormal Podcast

Play Episode Listen Later Aug 12, 2020 64:27


SETI Researcher Seth Shostack discusses the effort to find intelligent extraterrestrial life. Books - www.amazon.com/shop/jvjtaps Host - JV Johnson - www.facebook.com/jvjparanormal Patreon - www.patreon.com/johaw --- Support this podcast: https://anchor.fm/brparanormal/support

Software Engineering Radio - The Podcast for Professional Software Developers

Adam Shostack of Shostack & Associates and author of Threat Modeling: Designing for Security discussed different approaches to threat modeling, the multiple benefits it can provide, and how it can be added to an organization’s existing software proc

Brakeing Down Security Podcast
2020-011-Alyssa miller, deep fakes, threatmodeling for Devops environments, and virtual conferences

Brakeing Down Security Podcast

Play Episode Listen Later Mar 24, 2020 70:29


https://twitter.com/AlyssaM_InfoSec/status/1159877471161839617?s=19   Looking forward to sharing my vision for ending the 60 year cycle of bad defense strategies in #infosec and my challenge to think about security in a more effective way. https://sched.co/TAqU @dianainitiative #DianaInitiative2019 #cdwsocial @CDWCorp   1961 - MIT - CTSS - https://en.wikipedia.org/wiki/Compatible_Time-Sharing_System   Egg, coconut, brick ( my example of security --brbr)     Start with critical assets     Layer outward, not perimeter in. Medieval castles     Create the keep, build out from that     Active defenses   Dover Castle - https://en.wikipedia.org/wiki/Dover_Castle#/media/File:1_dover_castle_aerial_panorama_2017.jpg   Detection defenses - watchguards Mitigation defenses - moats - give time/space to respond (network segmentation) Active countermeasures - knights/archers/cannons  DeepFake technology Election year Spoke at RSA Business threat?          “Outsider trading”             “Video of Elon talking about problems - fake…”                 Stocks tank - short https://www.vice.com/en_us/article/ywyxex/deepfake-of-mark-zuckerberg-facebook-fake-video-policy  Could it be done strategically to destabilize things Extort business leaders     Fake videos used to extort    Still difficult to create     What’s the hurdles stopping it from being mainstream?         Huge render farms?   https://www.youtube.com/watch?v=18LN7VQM1aw - deepfake Sharon Stone/ Steve Buscemi   Threat modeling in devSecOps Agile env needs to be quick, fast, and  Build it into user stories Shostack’s method is a bit weighty     How do we implement that in such a way to make dev want to do them?   Organizing Virtual cons     https://Allthetalks.online - April 15         24 hour conference for charity Talks, followed by interactive channels, community generation Virtual Lobbycon Comedian  CFP is open 01 April 2020 Sticker swap!         Bsides Atlanta         27-29 March         https://bsidesatl.org/ - All virtual this weekend!               Infosec Oasis         https://Infosecoasis.com - 18 April   https://mashable.com/article/zoom-conference-call-work-from-home-privacy-concerns/   https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-server-automatic-removal-silent-update-webcam-vulnerability     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Open Web Application Security Project (OWASP) - Portland, Oregon Chapter

Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things.He currently helps many organizations improve their security via Shostack & Associates, and advises startups, including as a Mach37 Star Mentor.While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.Adam is interviewed by David Quisenberry, Ben Pirkl and John L. WhitemanSupport the show (https://www.owasp.org/index.php/Membership#tab=Other_ways_to_Support_OWASP)

Application Security PodCast
Adam Shostack — Threat modeling layer 8 and conflict modeling

Application Security PodCast

Play Episode Listen Later Jul 10, 2019 35:56


Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups. Adam is known for his [...] The post Adam Shostack — Threat modeling layer 8 and conflict modeling appeared first on Security Journey Podcasts.

Brakeing Down Security Podcast
2019-013-ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 2

Brakeing Down Security Podcast

Play Episode Listen Later Apr 7, 2019 56:35


Announcements: SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/ Austin Cybernauts meetup - https://www.eventbrite.com/e/cybernauts-ctf-meetup-indeed-tickets-58816141663 SHOW NOTES: Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer. https://github.com/OWASP/ASVS “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “   #ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman   https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx   https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing   https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3  - Older BrakeSec Episode   ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.”   What are the biggest differences between V3 and V4? Why was a change needed?  https://xkcd.com/936/ - famous XKCD password comic David Cybuck: Appendix C:  IoT     Why was this added?     These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.   You added IoT, but not ICS or SCADA?     https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project   BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3   Seems incomplete… (Section 1.13 “API”)     Will this be added later?     What is needed to fill that in? (manpower, SME’s, etc?)   3 levels of protection… why have levels at all?     Why shouldn’t everyone be at Level 3?     I just don’t like the term ‘bare minimum’ (level 1)--brbr   Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education   https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Brakeing Down Security Podcast
2017-036-Adam Shostack talks about threat modeling, and how to do it properly

Brakeing Down Security Podcast

Play Episode Listen Later Oct 29, 2017 94:54


Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3 Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly. We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using. Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use.   Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto).   RSS: http://www.brakeingsecurity.com/rss Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2  #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast   Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/       SHOW NOTES:   Ideas and suggestions here:   Start with “What is threat modeling?”   What is it, why do people do it, why do organizations do it? What happens when it’s not done effectively, or at all?   At what point in the SDLC should threat modeling be employed? Planning? Development? Can threat models be modified when new features/functionality gets added? Otherwise, are these just to ‘check a compliance box’? Data flow diagram (example) -   process flow External entities Process Multiple Processes Data Store Data Flow Privilege Boundary   Classification of threats- STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security) DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model) PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf Trike -  http://octotrike.org/   https://en.wikipedia.org/wiki/Johari_window   Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf   Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303   NIST CyberSecurity Framework: https://www.nist.gov/cyberframework   Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon Emergent Design:  https://adam.shostack.org/blog/2017/10/emergent-design-issues/   https://www.researchgate.net/profile/William_Yurcik/publication/228634178_Threat_Modeling_as_a_Basis_for_Security_Requirements/links/02bfe50d2367e32088000000.pdf   Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source)   Adam’s Threat modeling book http://amzn.to/2z2cNI1 -- sponsored link https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=mt_paperback?_encoding=UTF8&me=   Is the book still applicable? New book   What traps do people fall into?  Attacker-centered, asset-centered approaches Close with “how do I get started on threat modeling?” SecShoggoth’s Class “intro to Re” Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model

Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference

In the last year, there have been 45 security incidents compromising the personal information of 9.3 million individuals. What can we do given our current situation? How are we going to successfully secure personal information moving forward? This panel will discuss the future of personal information and its implications on privacy. Joseph Ansanelli is CEO of Vontu, a software company focused on the insider threat. Joseph has spoken to Congress twice in the past twelve months as an advocate of privacy and consumer data standards. Mr. Ansanelli has successfully co-founded and led two other companies and has an extensive track record of developing innovative solutions into successful companies. His first venture, Trio Development's Claris Organizer, was ultimately acquired by Palm, Inc. Mr. Ansanelli holds four patents and received a B.S. in Applied Economics from the Wharton School at the University of Pennsylvania Rich Baich, CISSP, CISM, Chief Information Security Officer, ChoicePoint. Mr. Baich has been working in the Information Security Business for over 10 years and has extensive experience working with government and commercial executives providing risk management and consultative council while developing, improving and implementing security architecture, solutions and policies. He has held security leadership positions as the Cryptolog Officer for the National Security Agency (NSA), Sr. Director Professional Services at Network Associates (now McAfee) and after 9/11 as the Special Assistant to the Deputy Director for the National Infrastructure Protection Center (NIPC) at the Federal Bureau of Investigation (FBI). Rich is the author of a security executive leadership guidebook, Winning as a CISO. The book is the first-of-its-kind to detail and provide the roadmap to transform security executives from a technical and subject matter expert to a comprehensive well-rounded business executive. He holds a BS from United States Naval Academy, MBA / MSM from University of Maryland University College, and has been awarded the National Security Telecommunications and Information Systems Security (NSTISSI) 4011 Certification and the NSA sponsored Information Systems Security (INFOSEC) Assessment Methodology (IAM) Certification. Adam Shostack is a privacy and security consultant and startup veteran. Adam worked at Zero-Knowledge building and running the Evil Genius group of advanced technology experts, building prototypes and doing research into future privacy technologies, including privacy enhancing networks, credentials, and electronic cash. He has published papers on the security, privacy, as well as economics, copyright and trust. Shostack sits on the Advisory Board of the Common Vulnerabilities and Exposures initiative, the Technical Advisory Board of Counterpane Internet Security, Inc and others. Adam is now an independent consultant. Paul Proctor is a vice president in the security and risk practice of Gartner Research. His coverage includes Legal and Regulatory Compliance, Event Log Management, Security Monitoring (Host/Network IDS/IPS), Security Process Maturity Risk Management Programs, Forensics and Data Classification. Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.

Black Hat Briefings, Las Vegas 2005 [Video] Presentations from the security conference

In the last year, there have been 45 security incidents compromising the personal information of 9.3 million individuals. What can we do given our current situation? How are we going to successfully secure personal information moving forward? This panel will discuss the future of personal information and its implications on privacy. Joseph Ansanelli is CEO of Vontu, a software company focused on the insider threat. Joseph has spoken to Congress twice in the past twelve months as an advocate of privacy and consumer data standards. Mr. Ansanelli has successfully co-founded and led two other companies and has an extensive track record of developing innovative solutions into successful companies. His first venture, Trio Development's Claris Organizer, was ultimately acquired by Palm, Inc. Mr. Ansanelli holds four patents and received a B.S. in Applied Economics from the Wharton School at the University of Pennsylvania Rich Baich, CISSP, CISM, Chief Information Security Officer, ChoicePoint. Mr. Baich has been working in the Information Security Business for over 10 years and has extensive experience working with government and commercial executives providing risk management and consultative council while developing, improving and implementing security architecture, solutions and policies. He has held security leadership positions as the Cryptolog Officer for the National Security Agency (NSA), Sr. Director Professional Services at Network Associates (now McAfee) and after 9/11 as the Special Assistant to the Deputy Director for the National Infrastructure Protection Center (NIPC) at the Federal Bureau of Investigation (FBI). Rich is the author of a security executive leadership guidebook, Winning as a CISO. The book is the first-of-its-kind to detail and provide the roadmap to transform security executives from a technical and subject matter expert to a comprehensive well-rounded business executive. He holds a BS from United States Naval Academy, MBA / MSM from University of Maryland University College, and has been awarded the National Security Telecommunications and Information Systems Security (NSTISSI) 4011 Certification and the NSA sponsored Information Systems Security (INFOSEC) Assessment Methodology (IAM) Certification. Adam Shostack is a privacy and security consultant and startup veteran. Adam worked at Zero-Knowledge building and running the Evil Genius group of advanced technology experts, building prototypes and doing research into future privacy technologies, including privacy enhancing networks, credentials, and electronic cash. He has published papers on the security, privacy, as well as economics, copyright and trust. Shostack sits on the Advisory Board of the Common Vulnerabilities and Exposures initiative, the Technical Advisory Board of Counterpane Internet Security, Inc and others. Adam is now an independent consultant. Paul Proctor is a vice president in the security and risk practice of Gartner Research. His coverage includes Legal and Regulatory Compliance, Event Log Management, Security Monitoring (Host/Network IDS/IPS), Security Process Maturity Risk Management Programs, Forensics and Data Classification. Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.