Shostack + Associates

Reminder: There’s still time to join MxD’s Threat Modeling Workshop for small and medium manufacturers and technical professionals, happening Dec. 2–3 at our facility. In partnership with Shostack + Associates, this free two-day training will give your team the skills and shared language to anticipate and address cybersecurity threats in new or existing systems. Secure your spot: https://loom.ly/WJqx8Jo

Facebook’s Privacy Waves program caught my eye in this month’s AppSec Roundup — teams tackle privacy work in predictable, monthly cycles. No chaos. No chasing incidents. Just steady, reliable progress. It’s such a simple idea: Make security work part of the rhythm of development, not the interruption. When security becomes a cadence instead of a crisis, it scales. When teams know when security happens, they stop treating it like someone else’s job. 🔥 Predictability is the most underrated security control we have. Imagine what our AppSec programs would look like if every team had their own “security waves.” Would we finally break the cycle of reactive firefighting?

Well, another #ThreatModCon in the books! As I head home, I found myself spending a lot of time reminiscing on this year's conference. The time I spent reconnecting with familiar faces and connecting with new ones was reinvigorating! In one conference, I get to combine 1) my favorite cyber topic (Threat Modeling), with 2) some of THEE most talented cyber practitioners, 3) great speakers & presentations, and 4) in a very laid back and welcoming setting. It doesn't get any better than that. Of all of the great cybersecurity conferences out there, ThreatModCon is definitely my favorite!! Special thanks to IriusRisk, Toreon, Shostack + Associates, and Katilyst for sponsoring!!

Publish your threat models! When 😷 Adam Shostack first suggested the idea to publish your threat models, he received a strong emotional response. We've been taught to value secrecy and limit exposure, so it seems unfathomable to even consider publication. Publication is sparking a lot of conversations. So, let's talk about it. From the benefits to the dangers, 😷 Adam Shostack and Open Source Technology Improvement Fund, Inc (OSTIF) want to provide clarity on WHY you should publish your threat models and WHAT this looks like. If you're on the fence, this is your time to ask questions and understand publication in the context of your organization. 🗓️ November 12, 2pm-3pm CST 🔗 Sign up with the link in the comments! 💻 Zoom

If you work in #manufacturing in the #chicago area and are interested in free #threatmodeling training, come to MxD and learn from the best: 😷 Adam Shostack ! https://lnkd.in/gVt9XGP8

“Risk is not a hammer — and most of our problems aren’t nails.” 😷 Adam Shostack opened his talk at USENIX Security '25 with that line. Immediately, the room started leaning in. He told a story from a workshop where someone confidently said, “We’ll just quantify the risk and decide from there.” Everyone nodded. Spreadsheets opened. Numbers multiplied. And then… silence. No one actually had the data to make those numbers mean anything. In that moment, Adam captured a pattern he’s seen for years: We treat risk as if it’s a universal problem-solver, a hammer that can drive every cybersecurity nail. But risk isn’t a decision engine. It’s a language. And it’s often the wrong one for the problems we face. Risk analysis came from gambling and insurance — domains built on iteration. In both domains, you can roll the dice thousands of times and refine your odds. But in cybersecurity, there’s not always repetition. Each attack, each exploit, each breach can be a one-off. So Adam challenged the audience to reframe the question: Not “What’s the risk?” But “What decision are we really trying to make — and what uncertainty can we live with?” Because when we stop swinging “risk” like a hammer, we finally start to see the real shape of the work. ❓ Ready to listen to the full talk? Watch now with the link in the comments. 🔗

Last call, D.C.! Spooky season is in a couple of days, and you don't want to be the victim of AI hallucinations. Become a vulnerability buster and catch those bugs after taking 😷 Adam Shostack's Threat Modeling Intensive with AI at OWASP® Foundation Global AppSec USA. See you there ~ 👻 ❗Register with the link in the comments! 📅 November 3-5, 2025 🗺️Washington, D.C

Boo! Publish your threat models! 👻 Did I scare you? Join us Wednesday, Oct 29th at 14:00 CT with guest 😷 Adam Shostack, who will be presenting on why transparency isn't something to be frightened of. RSVP to add straight to your calendar: https://luma.com/6fvp6orm

Don't miss out! Join us for “Threat Modeling with 😷 Adam Shostack" in collaboration with Open Source Technology Improvement Fund, Inc (OSTIF)! This Wednesday, October 29th at 14:00 Chicago (GMT-5), Adam will join OSTIF to explore the important idea: ❓ Should we publish our threat models? In this talk, Adam will dive into: > The opportunities and risks of publishing threat models > How openness can improve collective security > Why the open source community is uniquely positioned to lead this movement Register now and be part of the conversation shaping the future of open, transparent security. Link in the comments! 🗓 Date: October 29th, 2025 🕑 Time: 14:00 Chicago (GMT-5) 🔗 Link to Register: In the comments!

A big thank-you to Shostack + Associates, our Gold Sponsor for #ThreatModCon 2025 Washington D.C. (Nov 7-8)! 🫶 Founded by 😷 Adam Shostack, a pioneer in threat modeling, Shostack + Associates fast-tracks your skills with specialized training and their new Accelerator program. Come meet their team at ThreatModCon in DC next month!