Adam Shostack: Recent Addition to the Continuum Security Advisory Board

Noted threat modeling expert Adam Shostack is proud to serve on the Continuum Security Advisory Board – a role that was made official in May of 2018. As a member of the Board, Shostack looks to contribute his considerable knowledge of and expertise in threat modeling and information security toward the development of solutions that make security a key component of the development lifecycle.

As Adam Shostack knows, Continuum Security is focused on building the tools information security and development professionals need to test and manage software security. Continuum’s aim is to develop processes and tools that integrate seamlessly within the normal development process – rather than as an addition with the potential to slow down development. Continuum is responsible for the IriusRisk Threat Modeling Program – a solution for creating threat models and managing application risks throughout the process of development.

Continuum officially announced Shostack to the Advisory Board last May.


Adam Shostack: A Closer Look at Threat Modeling

With the release of 2014’s Threat Modeling: Designing for Security, renowned threat modeling expert Adam Shostack looks not only to introduce software developers and security professionals to this now essential information security skill, but also to provide helpful lessons and tips for identifying, preparing for and preventing potential security threats well into the future.

Through Threat Modeling: Designing for Security, Adam Shostack aims to:

• Provide software and security developers an easy, accessible how-to guide for designing more secure systems and products.

• Show security professionals how to threat model – as well as to provide an exploration of various threat modeling approaches, such as software-centric, attacker-centric and asset-centric.

• Provide actionable advice that isn’t tethered to any specific programming language, operating system or software.

Threat Modeling: Design for Security is the only information security book to be selected as a finalist for the Dr. Dobbs Joly Award since Secrets and Lies and Applied Cryptography.

Adam Shostack: Answering the Tough Questions on Information Security

Adam Shostack and Andrew Stewart are the authors of 2008’s The New School of Information Security – a book that seeks not only to answer the tough questions about information security, but also to provide anyone from CIOs and IT managers to company security specialists a new way of thinking when it comes to identifying, addressing and resolving the most complex and urgent security problems facing the modern organization.

As experts in information security, Adam Shostack and Andrew Stewart offer unique insight into the challenges faced throughout the field of security – as well as:

• How to gather the evidence needed to make better decisions when it comes to information security.

• Why collaboration is so essential to improving cybersecurity in the current era, and how the industry can come together to take significant leaps forward.

• What security industry leaders can learn from other scientific fields when it comes to improving security.

Adam Shostack: How to Become a CVE Numbering Authority (CNA)

After the second Workshop on Vulnerability Databases at Purdue, Adam Shostack worked hard to make the Common Vulnerabilities and Exposures (CVE) list a reality. Now broadly used, CVE Numbering Authorities, or CNAs, from around the world are responsible for maintaining the list.

What are the Common Vulnerabilities and Exposures list?

Common Vulnerabilities and Exposures (CVE) is a list that tracks common identifiers for publicly known cybersecurity vulnerabilities that is free for use and download. When parties discuss or share information about a unique security vulnerability found in software or firmware, a CVE Numbering Authority (i.e., CNA) adds the information to the CVE list. This process enables users to exchange data and provides a baseline for evaluation.

How to Become a CNA

Adam Shostack emphasizes that there are numerous considerations and responsibilities in becoming a CNA that ensures the continuing quality of the CVE List and improving CVE’s operation and timeliness. Additionally, potential CNAs must go through a candidate process and possess specific qualifications. If you are interested in becoming a CNA, click here for more information about the process and qualifications required.

Go through Emergent Chaos | The Emergent Chaos Jazz Combo

Adam Shostack: 2017 Privacy Threat Modeling Project

Adam Shostack takes the issues of personal privacy and institutional transparency; one of the primary reasons why he is involved in the Seattle Privacy Coalition. A Member of the Seattle Privacy Coalition Board since 2015, Adam Shostack works to utilize his skills, insight, and experience in cyber security to provide the organization strategic guidance in terms of how digital information is collected; to better inform the Coalition’s efforts in terms of advocating for privacy protection and security far down the road.

One such effort was Adam Shostack’s leadership on a 2017 Threat Modeling Privacy project. Along with a noted colleague and fellow Seattle Privacy Coalition board member, Shostack took on the responsibilities of this project with enthusiasm; one with the eventual goals of:

  • Modeling and categorizing the methods through which organizations, both public and private, collect personal data and information, as well as to determine options and their tradeoff or cost to the individual.
  • Developing an inventory that includes both those things people do online and the ways their data is gathered by organizations. This inventory would then be utilized to build a bigger picture of online data collection, from which further analysis is/was to be performed.
  • Coming to a tool, process or method that can be effectively applied across a variety of target groups and threat models so as to provide a method for better approaching and understanding holistic defense strategies.

Get more info through Threat Modeling: Lessons from Star Wars – Adam Shostack – Tripwire

Adam Shostack: An Examination of Threat Modeling

Cyber security professional Adam Shostack has helped to define the process of threat modeling, having not only been responsible for Microsoft’s approach, providing comprehensive threat modeling training, services, and solutions to client-organizations since 2016, and Adam Shostack is also the author of “Threat Modeling: Designing for Security;” the practical guide that lays out how to do threat modeling throughout the security development lifecycle.

A noted expert and author on the subject of threat modeling, Adam Shostack defined the four-step framework used to threat mode today. Those are:

  • What are we working on? This is important to ground threat modeling work and scope it to what can be addressed.  It’s also an important collaboration between security professionals and others working on the product or service.
  • What can go wrong? This key step is focused on bringing security knowledge to the analysis of a specific system.
  • What are we going to do about it? Once a list of potential problems is available, it’s important to address those problems!
  • Did we do a good job? Take a look at what’s been done, and assess if you’re satisfied and confident.

To know more go through Adam Shostack – Founder & CEO @ Stealth Startup | Crunchbase