Allan Friedman

@allanfriedman@infosec.exchange
808 Followers
367 Following
755 Posts
#SBOM Champion. Full service technocrat. Now at @Cisagov, formerly NTIA. Lapsed{engineer, academic, author}. Personal Account.
Allan FriedmanJun 1
Sunday brunch: tacos with the last of the brisket burnt ends and a strawberry-mozzarella-basil salad.
Allan FriedmanJun 1
Sunday brunch: tacos with the last of the brisket burnt ends and a strawberry-mozzarella-basil salad.
Allan FriedmanMay 30
New summer coffee habit: double shot from the bialetti moka over ice, with homemade lemon rind syrup.
Allan FriedmanMay 25
Brisket trimmings = beef cracklin = some pretty damn amazing gravy for Sunday morning biscuits.
Allan FriedmanMay 20
Adam Shostack  May 20

New blog: Free Threat Modeling Training for Displaced Federal Workers

US Government employees (and former employees) are going through a lot of chaos. Many of our colleagues, collaborators, and friends are out of work — suddenly and unexpectedly.

At Shostack + Associates, we can’t fix that. But we can offer something concrete.

In times of uncertainty, we focus on what we know, and what we know is threat modeling and how to teach it. It’s what we do best, and it’s how we can help.

(1/4) full post, links: https://is.gd/nYz3y2

Allan FriedmanMay 18
Seth LarsonMay 18

My #PyConUS session is later today, let's find out together if your requirements.txt is haunted? 👻

Join the haunt in Ballroom BC at 1:45PM, don't be scared!

https://us.pycon.org/2025/schedule/presentation/14/

#PyConUS #PyCon #PyConUS2025 #Python #Security

Phantom Dependencies: is your requirements.txt haunted?

Did you know there’s more than Python code included in Python packages? This might be a surprise, especially if you’ve … Presented by: Seth Michael Larson

PyCon US 2025
Allan FriedmanMay 16

Apple Weather: expect thunderstorms soon.
Also Apple Weather: hey, I betcha need a wind map now, right?

How are these things still so bad.

Allan FriedmanMay 8
Patrick C Miller May 8
UK spies see ‘direct connection’ between Russian cyberattacks and sabotage plots https://therecord.media/uk-spies-see-connection-russia
UK spies see ‘direct connection’ between Russian cyberattacks and sabotage plots

Cyber chief Richard Horne said intelligence agencies were seeing the hacking threat from Russia manifesting “on the streets of the UK."

Allan FriedmanMay 6

Allan’s corollary to Clarke’s 3rd law:

Debugging any sufficiently advanced technology involves magic.

Allan FriedmanMay 5
Seth LarsonMay 2

I published a new small project called "whichprovides" that's an abstraction over many package manager ecosystems, mostly for generating Package URLs to include in SBOMs:

#python #opensource #oss #sbom

https://sethmlarson.dev/new-project-whichprovides

whichprovides: an abstraction of "yum provides"

This critical role would not be possible without funding from the Alpha-Omega project. I'm announcing a new small project I've created as a part of my work on Software Bill-of-Material...

sethmlarson.dev
×
Adam Shostack  May 20

New blog: Free Threat Modeling Training for Displaced Federal Workers

US Government employees (and former employees) are going through a lot of chaos. Many of our colleagues, collaborators, and friends are out of work — suddenly and unexpectedly.

At Shostack + Associates, we can’t fix that. But we can offer something concrete.

In times of uncertainty, we focus on what we know, and what we know is threat modeling and how to teach it. It’s what we do best, and it’s how we can help.

(1/4) full post, links: https://is.gd/nYz3y2

Show threadAdam Shostack  May 20

We’re opening a free instance of our Threat Modeling Intensive course — a $3,900 value — no strings attached. This will be a distributed, live instruction instance of the course for people whose government jobs have gone. The course is designed for technologists who have at least a couple years of experience as a software developer, systems operator or technical project manager, and have shipped one or more systems.

This is the full version of our most popular training. It’s practical, focused, and designed to help you move into a new role with in-demand skills. It’s interactive and hands on. You’ll be threat modeling and collaborating to get peer feedback and review. Complete the work and you'll finish the week with new capabilities and a course completion certificate.

(2/4)

Show threadAdam Shostack  May 20

The course runs the week of July 7. We don’t want to cap attendance, but our training is interactive, so we need to use the Zoom meeting form, and that leads to participation limits. So if you sign up, please do so with a plan to attend and participate. If you’ve lost your job — sign up. We’ll cover the full cost. You bring your attention and drive, and you can sign up at our Google form. Also, you can learn more about the course on our general Threat Modeling Intensive Course page.

In the spirit of transparency, there’s something in this for us too: one of our major customers is planning a large-scale course, and we want to experiment and see if there’s limits to how many folks we can teach effectively. We're confident in our approach. We believe that our mix of hands-on, small peer group discussions and larger full class discussions can scale. And we love experimentation and learning.

(3/4)

Show threadAdam Shostack  May 20

Please share this with anyone you know who’s been impacted. We’ll do our best to make this useful, relevant, and hopefully a step towards something new.

PS: If this sounds good but you’re not an impacted government employee, we have upcoming open trainings at OWASP Global Appsec Barcelona (May) and Blackhat in Las Vegas (Aug 2-3 or 4-5), as well as self-pace trainings and private offerings.

(4/4) Full version, links: https://is.gd/nYz3y2