I've been putting off sending a professional email since July because I've dreaded the response.

I sent it today, and received a reply of "no worries that's fine" in about three minutes.

I will learn nothing from this.

At JPL they do amazing things, many of them one offs. How should we think about the risk of a unique event? Note that this isn’t a coin flip, where we can measure across many events, and use those flips to test our theories. Consider the Sky Crane. As my guide described to me, it’s the least […]

I'm pleased to release our latest whitepaper, Understanding the Four Question Framework for Threat Modeling! It’s free as part of our Black Friday sale, and uhhh, because we like sharing knowledge it’ll remain free.

shostack.org/whitepapers/...

New blog/whitepaper release:

Shostack + Associates is pleased to release our latest whitepaper, Understanding the Four Question Framework for Threat Modeling! It’s free as part of our Black Friday sale, and uhhh, because we like sharing knowledge it’ll […]

[Original post on infosec.exchange]

What are some accessible Infosec & Opsec resources that activists, journalists, and organizers can turn to in preparation for the Trump admin?

Preparing for a fascist regime can feel scary and paralyzing. This seems like an area where people can take control w/ concrete steps.

Please share below 👇🏽

For Threat Model Thursday, let’s look at Threat Modeling with ATT&CK from MITRE. As always with Threat Model Thursday, my goal is to respectfully engage with interesting work and ask what we can learn from it. This one is particularly interesting because […]

[Original post on infosec.exchange]

Most security teams are treating LLMs like any other API endpoint.

But these models introduce unique risks that traditional security controls weren't designed to handle.

This GenAI threat modeling guide from AWS can be of great help:

aws.amazon.com/blogs/securi...