Adam Shostack: “Threat Modeling: Designing for Security”

Adam Shostack is a leading cybersecurity specialist and the author of Threat Modeling: Designing for Security (Wiley, 2014). He’s also the President of Shostack & Associates, which he founded in 2017.

Since publication, Mr. Shostack’s book has received rave reviews on popular platforms like Amazon and it is still in high demand.

“Adam’s Threat Modeling: Designing for Security is a must and required reading for security practitioners,” begins one such review. “Threat modeling should become standard practice within security programs and Adam’s approachable narrative on how to implement threat modeling resonates loud and clear.”

If you’d like to get in touch with Adam Shostack and his team at Shostack & Associates regarding help with threat modeling or engineering more secure systems, head to You can also head to vpnMentor to check out an excerpt from his book here.



Adam Shostack: Positive Reputation

Adam Shostack is a consultant, entrepreneur, technologist, author and game designer with years of experience in his field, much of which he spent working with Microsoft. Today, he’s serving as the President of Shostack & Associates in the Greater Seattle Area, and he continues to build on his already positive reputation.

Below, for example, is one of many shining recommendations from Adam Shostack’s LinkedIn profile, written by a former colleague:

“Adam’s work was cutting edge. His technical implementations embody a particularly lucid view of privacy for individuals and organizations.”

For those who’d like more information about Adam Shostack and his company, Shostack & Associates, click through to his personal website, There, you can access his firm’s website, sign up for his mailing list, check out his work as an author and explore his list of career accomplishments. You can also visit this link to watch an excerpt from Mr. Shostack’s recent interview on threat modeling.


Adam Shostack: Information Security Visionary

Adam Shostack is an information security specialist with more than a decade of experience and several successful startups to his name. He’s also the founder and President of Shostack & Associates, which launched in 2017, and the author of Threat Modeling: Designing for Security (Wiley, 2014). Mr. Shostack’s peers and clients hold him in high regard and he has received numerous shining recommendations for his excellence.

For example, the following recommendation is from Adam Shostack’s LinkedIn profile:

“Adam holds a place in the evolution of privacy as a consumer, business and regulatory issue,”

wrote his colleague. “An exceptional mind and visionary.”

Looking for more information on Adam Shostack’s career as a cyber security specialist, author, and consultant? If so, head to his profile on DARK Reading here. There, you can find a list of content he has produced along with upcoming live events.


Adam Shostack: Recent Addition to the Continuum Security Advisory Board

Noted threat modeling expert Adam Shostack is proud to serve on the Continuum Security Advisory Board – a role that was made official in May of 2018. As a member of the Board, Shostack looks to contribute his considerable knowledge of and expertise in threat modeling and information security toward the development of solutions that make security a key component of the development lifecycle.

As Adam Shostack knows, Continuum Security is focused on building the tools information security and development professionals need to test and manage software security. Continuum’s aim is to develop processes and tools that integrate seamlessly within the normal development process – rather than as an addition with the potential to slow down development. Continuum is responsible for the IriusRisk Threat Modeling Program – a solution for creating threat models and managing application risks throughout the process of development.

Continuum officially announced Shostack to the Advisory Board last May.

Adam Shostack: A Closer Look at Threat Modeling

With the release of 2014’s Threat Modeling: Designing for Security, renowned threat modeling expert Adam Shostack looks not only to introduce software developers and security professionals to this now essential information security skill, but also to provide helpful lessons and tips for identifying, preparing for and preventing potential security threats well into the future.

Through Threat Modeling: Designing for Security, Adam Shostack aims to:

• Provide software and security developers an easy, accessible how-to guide for designing more secure systems and products.

• Show security professionals how to threat model – as well as to provide an exploration of various threat modeling approaches, such as software-centric, attacker-centric and asset-centric.

• Provide actionable advice that isn’t tethered to any specific programming language, operating system or software.

Threat Modeling: Design for Security is the only information security book to be selected as a finalist for the Dr. Dobbs Joly Award since Secrets and Lies and Applied Cryptography.

Adam Shostack: Answering the Tough Questions on Information Security

Adam Shostack and Andrew Stewart are the authors of 2008’s The New School of Information Security – a book that seeks not only to answer the tough questions about information security, but also to provide anyone from CIOs and IT managers to company security specialists a new way of thinking when it comes to identifying, addressing and resolving the most complex and urgent security problems facing the modern organization.

As experts in information security, Adam Shostack and Andrew Stewart offer unique insight into the challenges faced throughout the field of security – as well as:

• How to gather the evidence needed to make better decisions when it comes to information security.

• Why collaboration is so essential to improving cybersecurity in the current era, and how the industry can come together to take significant leaps forward.

• What security industry leaders can learn from other scientific fields when it comes to improving security.

Adam Shostack: Threat Modeling in 2018

Adam Shostack authored Threat Modeling: Designing for Security, which was one of the only information security-themed books to be selected as a finalist for the Jolt Award.

Check out the video & get to know about Threat Modeling in 2018 by Adam Shostack.

Visit for more information about him.

Adam Shostack: Past Client Successes

Adam Shostack offers clients the best in information security consulting – providing custom security solutions that include anything from complex, technical security problem-solving to comprehensive business strategy services.

The President of Shostack & Associates, Shostack aims to add and deliver value to clients and organizations of all sizes around the globe – and to ensure their unique security problems are addressed and resolved as thoroughly as possible.

To date, Adam Shostack and the Shostack & Associates team have delivered:

  • Go-to-market advice for a small security startup.

  • Complete qualification training and product analysis to a government organization.

  • Design and rollout of the security development lifecycle for a high-profile manufacturer.

  • A full review of the security process for a top banking institution.

  • One-on-one threat modeling training of 75 security engineers at a top technology firm.

Shostack & Associates offers clients the value and unique perspective that only comes from years of information security experience, training and expertise.

Visit to know more about him.

Adam Shostack: Security Risks Associated with USB Devices

As an information and cybersecurity expert, Adam Shostack focuses on providing clients with expert security solutions that improve security outcomes for their organizations. Shostack was instrumental in fixing the Windows Autorun malware problem that plagued Windows machines since the deployment of Windows 95, and now warns users against the security risks associated with USB devices.

Most individuals know they should never insert an unknown USB device into their computer because the flash drive may contain malicious software. However, an even more insidious problem exists because these devices may have malicious firmware.

USB is a universal type of port that allows users to connect a variety of devices (e.g., flash drives, external hard drives, game controllers, network adapters, etc.) to their computers. These devices, along with your computer, run a type of software known as firmware. When a user connects a device to his or her computer, the device’s firmware is what makes the device function. This is certainly convenient; however, there is no secure way to verify whether the firmware on the USB device is safe.

For example, a USB flash drive may appear to function normally, but the firmware associated with it could modify files in the background and infect a computer. Further, using a connected device with malicious firmware as a USB Ethernet adapter could potentially route internet traffic over servers that contain malware. While a user’s USB flash drive may function as such, it could also contain firmware that allows it to run as a keyboard and Ethernet network adapter. Additionally, computers have the potential to infect a USB device’s firmware.

To make matters worse, Adam Shostack warns there are no known defenses from USB attacks. Malware scanners are typically unable to access the firmware running on a USB device and behavioral detection is almost impossible because the behavior of an infected device may look as though a user has simply plugged in a new USB device. While it is possible to block or allow specific classes of USB devices, these lists are easy to bypass.

Adam Shostack emphasizes that users exercise caution when dealing with suspicious USB devices. Never connect an unknown device to your computer. With the Windows Autorun feature now disabled by default, it is easy to become complacent but the fundamental design flaw in these types of devices demonstrates a potential but serious danger to a user’s computer.

Adam Shostack: How to Become a CVE Numbering Authority (CNA)

After the second Workshop on Vulnerability Databases at Purdue, Adam Shostack worked hard to make the Common Vulnerabilities and Exposures (CVE) list a reality. Now broadly used, CVE Numbering Authorities, or CNAs, from around the world are responsible for maintaining the list.

What are the Common Vulnerabilities and Exposures list?

Common Vulnerabilities and Exposures (CVE) is a list that tracks common identifiers for publicly known cybersecurity vulnerabilities that is free for use and download. When parties discuss or share information about a unique security vulnerability found in software or firmware, a CVE Numbering Authority (i.e., CNA) adds the information to the CVE list. This process enables users to exchange data and provides a baseline for evaluation.

How to Become a CNA

Adam Shostack emphasizes that there are numerous considerations and responsibilities in becoming a CNA that ensures the continuing quality of the CVE List and improving CVE’s operation and timeliness. Additionally, potential CNAs must go through a candidate process and possess specific qualifications. If you are interested in becoming a CNA, click here for more information about the process and qualifications required.

Go through Emergent Chaos | The Emergent Chaos Jazz Combo