The Blast Radius - Edition [4] Over the past few weeks I’ve been building out a practical toolkit for threat modelling AI, LLM and agentic systems. The current state of advice in this space ranges from the abstract (OWASP lists) to the theatrical (“AI red teaming” that tests the wrong…
Last week, Anthropic announced Claude Mythos Preview and...
I’ve been talking about graphs for dependency analysis...
Why SAST is broken, and how it could...
Cursor as your Secure Dev Team What I...
Building an AppSec Program: A Collaborative Approach Are...
AI-Generated Code: Productivity Gains, Security Pains, and the...
There are lots of ways we can optimise what we do, through a data driven approach, but we need to be careful and use critical and creative thinking.
Why are so many people just diving, straight into the code? A minimum of requirements and design? Perhaps a threat Model?
We need to fix the culture, from top to bottom in the software engineering industry. Here are just some of the issues as I see them and what we should be doing about them.
Coming soon to a bookshelf near you, Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architecture
Some interesting security and creativity games plus a few more
Threat modeling with teams is a process that requires visuals, interaction between team members and discussion and so lends itself to everyone being in a room together. This has been quite hard the last two years. It also doesn’t look to be getting any easier, so we should probably get used to it. Here’s how I’ve been doing it with several teams.
So often organizations believe that Application Security stops at penetration testing and fixing vulnerabilities but it is more than that, penetration testing is the reactive side of things but you also need the proactive aspects of Application Security to reduce the flow.
Mapping between the Common Attack Pattern Enumeration and Classification (CAPEC) from Mitre and the S.T.R.I.D.E. Categories used in Threat Modeling.
I’ve just launched the first OWASP Application Security Awareness Campaign with 11 Posters of the OWASP Top Ten 2021 project.
Prioritising remediation of vulnerabilities based on effective impact and risk using PageRank.
