Adam Shostack: 2017 Privacy Threat Modeling Project

Adam Shostack takes the issues of personal privacy and institutional transparency; one of the primary reasons why he is involved in the Seattle Privacy Coalition. A Member of the Seattle Privacy Coalition Board since 2015, Adam Shostack works to utilize his skills, insight, and experience in cyber security to provide the organization strategic guidance in terms of how digital information is collected; to better inform the Coalition’s efforts in terms of advocating for privacy protection and security far down the road.

One such effort was Adam Shostack’s leadership on a 2017 Threat Modeling Privacy project. Along with a noted colleague and fellow Seattle Privacy Coalition board member, Shostack took on the responsibilities of this project with enthusiasm; one with the eventual goals of:

  • Modeling and categorizing the methods through which organizations, both public and private, collect personal data and information, as well as to determine options and their tradeoff or cost to the individual.
  • Developing an inventory that includes both those things people do online and the ways their data is gathered by organizations. This inventory would then be utilized to build a bigger picture of online data collection, from which further analysis is/was to be performed.
  • Coming to a tool, process or method that can be effectively applied across a variety of target groups and threat models so as to provide a method for better approaching and understanding holistic defense strategies.

Get more info through Threat Modeling: Lessons from Star Wars – Adam Shostack – Tripwire


Adam Shostack: What do Security Engineers Do?

Adam Shostack enjoys the opportunity not only to identify potential threats to and points of attack within a client’s information system(s) but to architect and implement the custom solutions needed to mitigate and eliminate system vulnerabilities while giving the client the tools and insight needed to achieve a more secure future.

Founder and Managing Consultant of Shostack & Associates, Adam Shostack engineers high-quality security solutions that address and resolve complex security issues, as well as to prepare organizations for the challenges of an ever-changing digital environment.

Shostack has worked in cybersecurity his entire career and is well-versed in those many responsibilities most often laid upon the security engineer’s desk. While the high-level duties of the engineer include comprehensive risk assessment, network vulnerability identification, and system security enhancement, they must also maintain a high-level of proficiency in:

  • Grasping and managing the technical, complex information security issues within a fast-paced business atmosphere.
  • The maintenance of all hardware and software in relation to security.
  • Being able to identify both current and growing issues in terms of security threats, vulnerabilities, and trends.
  • Performing research to better identify and assess system weaknesses, as well as making recommendations on best strategies moving forward.

Navigate here: How to start with threat modeling – MIS Training Institute

Adam Shostack: An Examination of Threat Modeling

Cyber security professional Adam Shostack has helped to define the process of threat modeling, having not only been responsible for Microsoft’s approach, providing comprehensive threat modeling training, services, and solutions to client-organizations since 2016, and Adam Shostack is also the author of “Threat Modeling: Designing for Security;” the practical guide that lays out how to do threat modeling throughout the security development lifecycle.

A noted expert and author on the subject of threat modeling, Adam Shostack defined the four-step framework used to threat mode today. Those are:

  • What are we working on? This is important to ground threat modeling work and scope it to what can be addressed.  It’s also an important collaboration between security professionals and others working on the product or service.
  • What can go wrong? This key step is focused on bringing security knowledge to the analysis of a specific system.
  • What are we going to do about it? Once a list of potential problems is available, it’s important to address those problems!
  • Did we do a good job? Take a look at what’s been done, and assess if you’re satisfied and confident.

To know more go through Adam Shostack – Founder & CEO @ Stealth Startup | Crunchbase

Adam Shostack: Achieving Success in Cyber Consulting

As Adam Shostack knows, the field of information security consulting is very crowded and highly competitive. To achieve any level of success in the industry, one must not only possess a strong understanding of the security issues organizations face on a daily, monthly and yearly basis; they must also possess the ability to remain flexible when it comes to meeting the numerous different security needs unique organizations and industries face, as well as to have the willingness to stay current on the ever-changing technologies and threats that are forever challenging the industry.

The Managing Consultant of Shostack & Associates, Adam Shostack understands that for cybersecurity consultants of any specialty to remain competitive and successful, they must:

  • Always be learning. Keeping a finger on the pulse of the industry and maintaining the desire to learn where it is and where its head is essential to anticipating and managing client’s current and future needs
  • Challenge themselves regularly. Consultants are responsible for solving problems. In the world of cybersecurity, those problems are changing and evolving constantly. To stay on top and ahead of these changes, it’s important to always seek out problems you’ve never dealt with or resolved before, as such situations can help to keep you sharp and prepared for anything that comes your way.

Go through Adam Shostack – Founder & CEO @ Stealth Startup | Crunchbase

Adam Shostack: Key Attributes Found in Successful Security Engineers

Adam Shostack has worked in the field of cybersecurity engineering for much of his career. The Managing Consultant of Shostack & Associates, Shostack has served as a leader within three successful startup firms centered focused on the development of security products and solutions, was a key driver of Microsoft’s Software Development Lifecycle, and has written or co-authored multiple books on the subject of online threats and information security.

A longtime security engineer and entrepreneur, Adam Shostack possesses many of the key attributes and skills most commonly found among those who have attained long-term success in the field. Some of the defining characteristics of a successful security engineer include:

  • The ability to focus on and manage the details of a given project, as well as to work methodically.
  • A curiosity and enthusiasm that drives the professional to dig deeply into complex technical issues, as well as to examine problems from all sides.
  • The ability to adapt to new situations; to identify and deliver solutions that best meet the needs of unique organizations, clients, and systems.
  • An updated understanding of the current risks and vulnerabilities, as well as the curiosity needed to learn and stay updated on the ever-changing nature of threats and organizational demands.

Go through adam shostack (@adamshostack) | Twitter

Adam Shostack: Common Responsibilities of the Security Engineer

Adam Shostack specializes in identifying and tackling the complex technical security issues faced by professionals and organizations. The Managing Consultant and Founder of Shostack & Associates, Shostack looks to design, build and implement the security strategies and solutions companies count on for solving their cybersecurity problems, and for being better prepared for the challenges of a fast-paced, often unpredictable future.

A longtime member and professional of the security engineering community, Adam Shostack understands the numerous responsibilities placed on the cybersecurity engineer on a regular basis. Many times an organization’s first line of defense in the constant struggle against potential security threats and risks, the security engineer is often responsible for:

  • Providing assistance in the installation and use of security software, including data encryption programs and firewalls.
  • Establishing and building the organization’s security practices and standards.
  • Developing innovative ways for solving existing security issues.
  • Making recommendations to management regarding needed security enhancements.
  • Scanning networks to identify and isolate potential vulnerabilities.
  • Monitoring organization systems and networks for security intrusions and breaches.
  • Keeping an eye out for irregular system behavior(s).
  • Investigating how security breaches happen and establishing protocols for managing and preventing breaches in the future.

To more check out  Black Hat USA 2012 | Speaker – Adam Shostack

Adam Shostack: What are the Primary Objectives of Cyber Security?

Adam Shostack works diligently to not only identify the cybersecurity issues his clients are or could be facing but to design and develop solutions that deliver improved security outcomes that will protect and benefit their organizations down the road.

A security engineering professional, consultant and advisor with Shostack & Associates, Adam Shostack is well known for his experience and expertise in the field, and for consistently providing clients comprehensive, customized information security solutions that add real value for years to come.

As Adam Shostack knows, there are several high-level principles that tend to instruct and guide the field of security engineering. These include:


One of the primary goals of security engineers is to make it incredibly difficult, if not impossible, for unauthorized users to change the information, as well as to provide the client or organization the ability to track changes made by authorized users.


Security engineering professionals work to ensure the information in question can only be accessed, seen or used by those with explicit authorization to do so.


Information must be readily accessible to authorized users when they need to access it.

Have a peek Adam Shostack – Founder & CEO @ Stealth Startup | Crunchbase

Adam Shostack: Success with Zero-Knowledge Systems

Long before founding Shostack & Associates, Adam Shostack had established himself a leader in systems security and analysis. An experienced program manager Adam Shostack, entrepreneur and influential professional technologist with expertise in the development of privacy and security solutions, Adam Shostack has been an asset to numerous technology-based firms, including multiple start-up companies and the well-known Microsoft corporation.


Adam Shostack has added value to many firms over his career, not the least of which was the mass-market privacy technology company known as Zero-Knowledge Systems.  As Director of Technology with Zero-Knowledge Systems from 1999 to 2002, Shostack proved himself an adept team leader throughout his company tenure, particularly as creator and manager of the company’s ‘Evil Genius’ team.

As Zero-Knowledge professional, Shostack was largely responsible for positioning the company into a technical leader. Under his leadership, the eight-member Evil Genius team created a variety of new products, including numerous prototypes and the P3P Analyzer. Adam Shostack accepted ownership of the technical decisions for multi-million-dollar IP acquisitions, and was responsible for creating a companywide patent process.

Adam Shostack: Start-up Leadership

Adam Shostack has proven himself a valued leader in the fields of security process analysis and threat modeling. The Founder and Managing Consultant of Shostack & Associates, Adam Shostack have demonstrated his worth as a security solutions provider throughout his career, both as a longtime program manager at Microsoft and as a leader of multiple start-up organizations.

With Microsoft for more than eight years, Adam Shostack was an invaluable asset to such start-up firms as Reflective (software security), Zero-Knowledge Systems (privacy), and Netect (vulnerability management).

  • The Chief Technology Officer at Reflective from 2004 to 2006, Shostack was responsible for driving the company’s technology strategy; leadership that resulted in taking the company from the conceptual stages to more than $1 million in revenue.
  • As Director of Technology of Zero-Knowledge Systems (1999-2002), Shostack was responsible for initiating and managing the company’s ‘Evil Genius’ team, something that positioned the firm as a technical leader and which led to the creation of numerous innovative products.
  • As Director of Technology for Netect (1997-1999), which would later be acquired by Bindview, Adam Shostack led his team to the design, specification and positioning of the HackerShield 1.0 award-winning vulnerability scanner.

Adam Shostack: Microsoft Experience

Entrepreneur and technologist Adam Shostack focuses on providing customers with expert security analysis and solutions that work to improve security outcomes for their organizations. The Managing Consultant of Shostack & Associates, Adam Shostack has consistently delivered threat modeling, security process analysis, and portfolio management solutions that have delivered positive and enduring outcomes throughout his career.

An experienced and proven professional, Adam Shostack enjoyed the opportunity to deliver such results as a Principal Program Manager of Microsoft for more than eight years. From 2006 to 2014, Adam Shostack focused his efforts on the human factors involved in security, developed threat modeling techniques and tools, and became a key driver for the company’s software development lifecycle.

Adam Shostack served on Microsoft’s Security Development Lifecycle Strategy team from 2006 to 2009, and the Usable Security team from 2009 to 2011. His tenure at Microsoft ended as a member of the Operational Security Assurance team, on which he served from 2012 to 2014.

A serial entrepreneur and security expert, Adam Shostack has continually demonstrated considerable insight in the areas of threat modeling and cyber portfolio management.