Recent Writings — Loren Kohnfelder on Designing Secure Software

March 2026 Link dump

Wed, 01 Apr 2026 00:00:00 +0000

Google security methodology compendium
Threat modeling
Are attacks the only threat?
Why is threat modeling ignored?
Miscellaneous
e16n next Stage 4

Google is sharing a lot of their impressive security methodology in a recent collection of articles: How Google Does It: An inside look at cybersecurity. Of special interest to me: Threat modeling, from basics to AI.

February 2026 Link dump

Sun, 01 Mar 2026 00:00:00 +0000

On “the end of security bugs”
STRIPPED
Incident response threat modeling?
Using CSS and PDF as emulators running code

Claude Code Security has people predicting the end of security bugs as we know them I can’t imagine anything in the forseeable future doing that because all software has bugs, and vulnerabilities are by definition a subset of all the bugs (in a properly designed system). Bug-free code seems computationally infeasible for large systems, if only for the amount of testing required to confirm there are no bugs. What am I missing, or is it AI hype?

January 2026 Link dump

Sun, 01 Feb 2026 00:00:00 +0000

on “Bitlocker, the FBI, and Risk”
threat models to address hacklore
software bloat
software update release quality

Transparent AI use

Sat, 31 Jan 2026 00:00:00 +0000

How much AI use is acceptable for writing? It’s a hard question because it depends greatly on context, the reader’s expectations, and the fact that it’s difficult to usefully measure “how much”. How we address this matters for several reasons, including but not limited to: creator’s responsibility and originality, honest disclosure about research effort and sources, respecting the broad spectrum of opinion about ethical use of AI.

Risk Perspective

Sat, 24 Jan 2026 08:42:18 -1000

Writing in response to Adam Shostack’s excellent post “Bitlocker, the FBI, and Risk”. He nicely highlights the fundamental risk trade-off in data protection, and so long as we (often very rightly) prioritize availability we need measures that may compromise confidentiality. Also I especially liked the touch of a risk analysis not using numbers and explicitly pointing that out.

Dusting off

Sat, 24 Jan 2026 08:28:56 -1000

Dusting off this venue for writing at the suggestion of a friend in the interest of more discussion online because it’s “better if we move commentary off social media.”

Flaunt your Threat Models!

Thu, 14 Nov 2024 00:00:00 +0000

Threat modeling is the most powerful, underutilized, easy-to-do security methodology we have: why isn’t everybody doing it already, or why do those who are keep their work secret? If you already threat model your digital systems and products, and are doing the work already then you are doing security right so you should share it with pride. Publishing threat models may be the best evidence of excellent security work that customers and users can appreciate the value of, short of a rigorous detailed design and code review. You’ve already done the work — or if not you really should — and making it public not only is great promotion but it also helps all stakeholders understand their respective roles and responsibilities in securing larger systems. (about 4600 words)

Demand more

Fri, 20 Sep 2024 00:00:00 +0000

Demand more

I applaud CISA leadership speaking out aggressively at the mWISE Conference 2024 about the dismal state of software security (based on reporting in The Register, but it would be nice for www.cisa.gov to publish transcripts in order to ensure we are interpreting remarks with full context, given that the videos are paywalled).

Threat Modeling threat modeling

Sun, 11 Aug 2024 00:00:00 +0000

(2300 words) Threat modeling isn’t just for software security; you can even threat model threat modeling. When a major software incident occurs, the first thing we should be asking is “show us the threat model”.

Crowdstrike further revelations

Fri, 09 Aug 2024 00:00:00 +0000

In a debunking blog post, Crowdstrike finally starts to describe that content files are digitally signed for deployment. The initial report oddly referenced file timestamps instead of hashes to designate the bad and good versions of the infamous Channel File 291, but now we know these were signed.

Crowdstrike External Technical Root Cause Analysis

Tue, 06 Aug 2024 00:00:00 +0000

The Crowdstrike July incident root cause analysis report provides new detail and requires reading between the lines to interpret (I welcome corrections with references if I got it wrong).

Why tamper LLMs with guardrails?

Mon, 05 Aug 2024 00:00:00 +0000

Say what you will about LLM technology, it’s remarkable that we can do computations on the scale of billions of parameters training on large chunks of humanity’s collective text and media at all — and then it’s remarkable how you can talk to “it” in everyday language and get any kind of recognizable response out of it all, often (but not always) a pretty good one, and this is all based on the simple but powerful “select the best next token” algorithm run in a loop. The concept would have made a terrific sci-fi series, and here we are with it working in our cloud at scale.

Incoming message mess

Tue, 30 Jul 2024 00:00:00 +0000

July 30, 2024 — When will we address the unacceptable status quo of scam phone calls, SMS text, and email?

Crowdstrike threat Q&A

Thu, 25 Jul 2024 00:00:00 +0000

Threat-based questions to understand the Crowdstrike incident (1081 words)

Every chance I get I’ve been offering this guidance: We understand software security best through specific threats and mitigations, articulated by threat models shared openly. While I doubt the folks at Crowdstrike are interested in my help, this is a great opportunity to test how this works in practice.

CSRC NIST glossary

Thu, 25 Jul 2024 00:00:00 +0000

In search of standard terminology to talk about software security

Someone referred to Crowdstrike as not being a “security incident” to which someone else responded that according to NIST it is. I’d like to think that the US National Institute of Standards and Technology (NIST) would provide standard definitions of technical terms for the software community which is awash in vague nomenclature that leads to much confusion, however, I see that the situation is unexpectedly complicated. According https://csrc.nist.gov/glossary/term/security_incident there are eight different definitions of “security incident”. This strikes me as fundamentally unhelpful: if we are having a discussion and referencing the NIST definition, we can disagree about the meaning and both be completely accurate. If there is some rule to determine which of the definitions to apply in different contexts the webpage appears to be silent on what that is.

Crowdstrike and the threat of friendly fire

Tue, 23 Jul 2024 00:00:00 +0000

Threat modeling methodology centers on asking, “What could go wrong?” and then considering mitigations to address such an eventuality. The unending calamities of history vividly demonstrate how human intuition repeatedly fails to foresee many such events until after they happen, and even then we sometimes fail to learn and act. For example, consider the 2008 financial crisis: after all the bailout money was handed out around Wall Street, Congress never confronted the glaringly obvious problem of “too big to fail” institutions. As a result, large firms continued to consolidate, concentrating power and risk in still fewer institutions, creating conditions for a repetition that appears to be a matter of “when” rather than “if”. Traditionally threat modeling has been deployed exclusively within the context of secure software engineering, but I posit that it is just as effective and important a tool for anticipating potential harms of all kinds — not just malicious exploitations.

Secret Questions for password reset

Thu, 11 Jul 2024 00:00:00 +0000

Secret questions as credentials for online account authentication are simply a bad idea in my view: I have never seen them done well, often seem them done atrociously, and my most generous assessment would be that they are extremely hard to do well. But keeping an open mind, here's a brief reasoning why these are problematic, and I invite anyone interested to do a brilliant design and prove me wrong.

Learning from Solar Winds

Wed, 10 Jul 2024 00:00:00 +0000

ProPublica is a national journalistic treasure, and recent reporting on the software industry is a terrific impetus to drive much needed change. I sat in on many bug triage discussions over twenty years ago working at Microsoft, and despite great technology advances, the way these decisions are made appears to be little evolved. My purpose here is not to judge what transpired and who is at fault, but to glean from the reporting better software practices so we can at least learn from these events.

Trusting AI

Mon, 03 Jun 2024 00:00:00 +0000

(220 words) June 2024 – Loren Kohnfelder

Whether or not this unscientific test is reliable, asking generative AI if a mushroom is safe to eat — it misclassified a highly toxic variety that looks like a common edible one — is a terrible idea if you are prepared to eat according to what it says. This illustrates my rule of thumb:

Further security discussions

Thu, 30 May 2024 00:00:00 +0000

(500 words) May 2024 – Loren Kohnfelder

This article is a continuation of Better Security Discussions.

This analysis can be extended by considering potential mitigations for additional threats.

Better security discussions

Sun, 26 May 2024 00:00:00 +0000

(900 words) May 2024 – Loren Kohnfelder

We understand software security best through specific threats and mitigations, articulated by threat models shared openly. Without this context we avoid much needed meaningful security discussions.