The one point that's missing from the article is to remind people: What the heck do you think firewalls are made of? Software! So unless a software manufacturer has got "software security religion", their product is just as likely to be "broken" inside than the things it allegedly protects.
=== Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com "I love humans. Always seeing patterns in things that aren't there." - The Doctor ________________________________________ From: SC-L [sc-l-boun...@securecoding.org] on behalf of Gary McGraw [g...@cigital.com] Sent: 31 March 2014 18:40 To: Secure Code Mailing List Subject: [External] [SC-L] Firewalls, Fairy Dust, and Forensics hi sc-l, Ever get discouraged that we have not been making enough progress in software security? Well, we have been making plenty of progress and our field is growing fast! This peppy little article (co-authored with Sammy Migues) explains why firewalls, fairy dust, and forensics are not working out for computer security. Oh, and software security is growing at 20% CAGR and now accounts for 10% of the computer security market (which is itself growing at 8.9%). We are in the right field, and the this mailing list is a major help. Please read this: http://searchsecurity.techtarget.com/opinion/McGraw-Firewalls-fairy-dust-and-forensics-Try-software-security Then have your SSG members read it. You do have an SSG, right? Feel free to post links to twitter, facebook, linkedin, and send it around (by pointer). I would really appreciate that. Thanks! gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________