Profile of Adam Shostack

Consultant, Entrepreneur, Technologist, Game Designer

News & Commentary Posts: 16

Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps organizations improve their security via Shostack & Associates, and advises startups as a Mach37 Star Mentor. While at Microsoft, Adam drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. He is the author of "Threat Modeling: Designing for Security," and the co-author of "The New School of Information Security."

Articles by Adam Shostack

View Content By Month

When Security Goes Off the Rails

6/6/2019
Cyber can learn a lot from the highly regulated world of rail travel. The most important lesson: the value of impartial analysis.
Post a Comment

20 Years of STRIDE: Looking Back, Looking Forward

3/29/2019
The invention of STRIDE was the key inflection point in the development of threat modeling from art to engineering practice.
Post a Comment

Making the Case for a Cybersecurity Moon Shot

2/19/2019
There are severe and unsolved problems in our industry that justify a sustained effort and substantial investment. It's worth picking one.
Post a Comment

'EFAIL' Is Why We Can’t Have Golden Keys

6/5/2018
A deep dive into the issues surrounding an HTML email attack.
Post a Comment

Risky Business: Deconstructing Ray Ozzie's Encryption Backdoor

5/10/2018
With the addition of secure enclaves, secure boot, and related features of "Clear," the only ones that will be able to test this code are Apple, well-resourced nations, and vendors who sell jailbreaks.
Post a Comment

The Critical Difference Between Vulnerabilities Equities & Threat Equities

11/30/2017
Why the government has an obligation to share its knowledge of flaws in software and hardware to strengthen digital infrastructure in the face of growing cyberthreats.
Post a Comment

CISO Security ‘Portfolios’ Vs. Reporting Structures

8/23/2016
Organizational structure is a tool for driving action. Worrying about your boss’s title won’t help you as much as a better communication framework.
Post a Comment

Security Portfolios: A Different Approach To Leadership

8/11/2016
How grounding a conversation around a well-organized list of controls and their goals can help everyone be, literally, on the same page.
Post a Comment

Security Lessons from My Financial Planner

6/24/2016
Security investments can be viewed as a portfolio. If we think in portfolio terms, we realize that ROI is a backwards-looking measure. What else can we learn from financial planners?
Post a Comment

Revealing Lessons About Vulnerability Research

6/10/2016
It’s not clear why a dozen FBI agents showed up at a security researcher’s door last month but as cyber becomes more a factor in product safety, our judicial system needs to get a better grasp on who the real criminals are.
Post a Comment

Security Lessons from C-3PO, Former CSO of the Millennium Falcon

4/21/2016
The business will take risks. When and how to speak up.
Post a Comment

CAs Need To Force Rules Around Trust

4/4/2016
Google Symantec flap reveals worrisome weakness in the CA system.
Post a Comment

Security Lessons From My Stock Broker

3/17/2016
Or, how to lie with metrics.
Post a Comment

Security Lessons From “The Gluten Lie”

3/10/2016
How faith healers and security vendors have learned what lies work.
Post a Comment

Security Lessons From My Doctor

2/25/2016
Why it’s hard to change risky habits like weak passwords and heavy smoking, even when advice is clear.
Post a Comment

Security Lessons From My Car Mechanic

2/18/2016
What an unlocked oil pan taught me about me about the power of two-way communication between security pros and the organizations they serve.
Post a Comment

Author

Profile of Adam Shostack