Hi sc-l,
The latest episode of Silver Bullet features a conversation with David Nathans
from Siemens Healthcare. David got his start in security ops, and even wrote a
book about that. But he completely understands why product security is
essential in the modern world and has been moving
hi sc-l,
Hard to believe, but Silver Bullet has been running for ten years---120 months
of shows in a row without missing a month. To celebrate this accomplishment,
we shot a video for episode 120 out by the Shenandoah river at my house. And
we turned the tables on the interview. Marcus
hi sc-l,
It’s leap day and RSA week!
We just posted Silver Bullet episode 119 featuring BSIMM co-author and IEEE CSD
co-founder Jacob West talking about the latest IEEE CSD report. Architecture
analysis lags behind other touchpoints when it comes to software security
practices. The CSD
hi sc-l,
For the first Silver Bullet of 2016 I have a chat with Jack Daniel, co-founder
of the Bsides Conferences. We talk about security communities, the evolution
of the field, car repair, complex systems, the waning security Rennaissance,
and other matters. We conclude with a quick
hi sc-l,
The current episode of the Silver Bullet Security Podcast features Jamie
Butler, CTO of Endgame. Jamie and I talk rootkits (he wrote the book with Greg
Hoglund), attack patters, defense and offense. Jamie has a long career in
security (17 years) spanning early days at Fort Meade,
hi sc-l,
Doug Maughan is one of the very good people who somehow works in the federal
government at DHS (I know). He has been funding reasonable science in computer
security since his early DARPA days and even once funded some of our work at
cigital. We talk about science, research, tech
hi sc-l,
Cigital just posted Silver Bullet 115 which features an interview with mudge
(a.k.a., Peiter Zatko).
https://www.cigital.com/podcasts/show-115-peiter-mudge-zatko/
We talk l0pht, cult of the dead cow, early security days, testifying before
Congress, why the government is so confused
hi sc-l,
Today Cigital published Release 6 of the Building Security In Maturity Model
(BSIMM). The BSIMM now represents eight years of bringing science to the
software security. We have directly measured over 104 companies across
multiple industries (BSIMM6 covers 78 of them). BSIMM6 also
hi sc-l,
You’ve heard these before I’m sure. Working on expanding or improving your
software security initiative? Here are seven of the most common objections we
see all the time (and what to say in response).
Please read this article: http://bit.ly/swsec-myths
Hopefully you will all find
hi sc-l,
Episode 114 of Silver Bullet was just posted. This episode features Peter
“Pete” Clay who has served as a CISO in several firms (Deliotte, Invotas, Qlik)
and has provided security direction both in the Federal government and the
private sector.
Have a listen: http://bit.ly/SB-pete
hi sc-l,
I just posted some thoughts on the FTC and software security.
Have a look: http://bit.ly/gem-FTC
gem
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
hi sc-l,
Yesterday I recorded an episode of Threatpost with Dennis Fisher. We talk
about many current topics, including how to scale software security.
Have a listen and pass it on:
https://threatpost.com/gary-mcgraw-on-scalable-software-security-and-medical-device-security/114640/
Topics
The URL was apparently scrambled below. For the SB episode try:
http://bit.ly/SB-chandu
gem
On 8/31/15, 12:51 PM, "SC-L on behalf of Gary McGraw"
<sc-l-boun...@securecoding.org on behalf of g...@cigital.com> wrote:
>hi sc-l,
>
>The new episode of Silver Bulle
As far as I know, Microsoft integrated some reference monitoring into their OS
family under Fred Schneider’s guidance. They called it “inline reference
monitoring” and I believe they still use it.
gem
On 9/8/15, 8:49 AM, "SC-L on behalf of Goertzel, Karen [USA]"
hi sc-l,
The new episode of Silver Bullet features a conversation with Chandu Ketkar.
Chandu has 20+ years of experience in software, starting as a developer and
working his way to a secure design proponent. Have a listen:
hi sc-l,
What is the relationship between dynamic languages and dynamic methodologies?
What is the impact on software security?
This article provides a gentle introduction: http://bit.ly/gem-dynamic
Feedback welcome. Pass it on.
gem
company www.cigital.com
podcast
hi sc-l,
For the latest episode of Silver Bullet, we spoke to two of the fifteen
co-authors of the Keys Under Doormats paper describing the technical peril of
implementing crypto back doors as FBI Director Comey has suggested. Steve
Bellovin comes at the problem with years of experience and
hi sc-l,
Silver Bullet episode 111 is a sneaky one based around a “dirty brilliant
trick. The episode features Marcus Ranum, inventor of the proxy firewall and
all around security guru. We talk about perimeter security, software security,
security progress (or lack of such) and whether
hi sc-l,
Silver Bullet episode 110 features Paul Dorey. Paul was one of the original
CSOs of Europe, ultimately serving as the CSO of BP. He and I are on an
Advisory Board together, and most recently, Paul and I did a “fernside chat” at
the BSIMM Europe Conference. We talk about the CSO
hi sc-l,
Lots of us have RSA Conference goo leaking out of our ears by now. Yerg.
Here’s a quick antidote from a serious cryptographer. Bart Preneel is a
professor at KL Leuven University (founded in 1425). He is an exceptional
cryptographer and a huge supporter of software security in
hi sc-l,
During the last BSIMM Conference in Monterey, CA, Caroline Wong ran a
workshop/session during which all 23 firms present shared their BSIMM
structures with eachother. The event was organized as a poster session. It was
a great event. Caroline and I took the data, crunched it,
hi sc-l,
Just in time for my Spring Break college tour with Eli, here is Silver Bullet
episode 108, an interview with HackerOne’s Katie Moussouris.
Katie and I talk about bug bounties, early coding (sadly she was a C64 person
instead of an Apple ][+ person), SDL, BlueHat, mentors, and more.
hi sc-l,
I wrote my latest SearchSecurity article based on conversations I have been
having with a number of CSOs and security execs. It’s about what happens when
risk management goes bad. The biggest failure condition seems to be “ignoring
the lows” entirely.
Anyway, have a read and pass
christian.heinr...@cmlh.id.au
wrote:
Gary,
On Sat, Feb 21, 2015 at 6:13 AM, Gary McGraw g...@cigital.com wrote:
I wrote my latest SearchSecurity article based on conversations I have
been having with a number of CSOs and
security execs. It’s about what happens when risk management goes bad
hi sc-l,
An entire gaggle of devs and architects interviews me about software security.
have a listen. Pass it on
http://thewebplatform.libsyn.com/28-securing-your-web-applications
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book
hi sc-l,
What’s better than the Superbowl? Silver Bullet of course! Hah. Have a
listen to episode 106 featuring Steve Katz, widely revered as the world’s first
CISO. Steve has served as CISO of citibank/citigroup, JP Morgan, Merril Lynch,
and Kaiser Permanente. (We serve on one Advisory
hi sc-l,
Merry New Year to you all!!
Episode 105 of Silver Bullet is an interview with Whitfield Diffie. Whit
co-invented PKI among other things. We have an in depth talk about crypto,
computation, LISP, AI, quantum key distro, and more
http://bit.ly/SB-diffie
As always, your feedback on
hi sc-l,
Silver Bullet episode 103 features Brian Krebs, whose website
http://krebsonsecurity.com is among the leading security reporting sites on
the planet. Brian was once a reporter for the Washington Post, but he went
solo after being let go (too deep for the dinosaur). Krebs broke a number
hi sc-l,
The 102nd monthly episode of the Silver Bullet podcast features a conversation
with Richard Danzig. Richard is a very accomplished leader who served as
Secretary of the Navy (among other powerful positions). He is currenty a
member of the Board of the Center for a New American
hi sc-l,
This evening in SF we are officially launching the IEEE Center for Seure Design
with a small event including security people and press. Jim DelGrosso and I
will make a short presentation about the CSD during the launch.
I devoted both of my monthly pieces (Silver Bullet and
hi sc-l,
Chandu Ketkar and I wrote an article about medical device security based on a
talk Chandu gave at Kevin Fu’s Archimedes conference in Ann Arbor. In the
article, we discuss six categories of security defects that Cigital discovers
again and again when analyzing medical devices for our
hi sc-l,
Silver Bullet Security Podcast number 99 (99 months in a row!!) was just
posted. This episode features a programming languages smorgasbord with Michael
Hicks, professor of CS and security at University of Maryland. We talk type
safety, closure, why C is bad, what makes dynamic
hi sc-l,
Bart Miller, computer science professor from Wisconsin, coined the term fuzz
testing in 1990. He also is the PI for the DHS SWAMP---a software assurance
marketplace of sorts. Bart knows a ton abiut software analysis.
In episode 98 of Silver Bullet, we geek out about software
hi sc-l,
Heartbleed? Who cares? We do. Real lessons here http://bit.ly/1lBKDsE
Silver Bullet 97. Programming languages actually matter.
http://www.cigital.com/silver-bullet/show-097/
Read. Listen. Share. React.
We want your feedback.
gem
there.
- The Doctor
From: SC-L [sc-l-boun...@securecoding.org] on behalf of Gary McGraw
[g...@cigital.com]
Sent: 31 March 2014 18:40
To: Secure Code Mailing List
Subject: [External] [SC-L] Firewalls, Fairy Dust, and Forensics
hi sc-l,
Ever get discouraged
hi sc-l,
Nate Fick is an interesting man. He has a classics degree from Dartmouth,
where he is now a Trustee. He served combat tours in Afghanistan and Iraq,
resulting in the book “One Bullet Away” and the HBO series “Generation Kill.”
He served as the CEO of an important new think thank,
hi sc-l,
Ever get discouraged that we have not been making enough progress in software
security? Well, we have been making plenty of progress and our field is
growing fast! This peppy little article (co-authored with Sammy Migues)
explains why firewalls, fairy dust, and forensics are not
hi sc-l,
I was asked to write an article for IEEE Computer’s security column this month.
It’s about software security.
Security Fatigue? Shift Your
Paradigmhttp://www.cigital.com/presentations/mco2014030081.pdf, (IEEE
Computer Society, March 2014)
As always, your feedback is welcome. You
hi sc-l,
Tonight at 6pm EST I will be participating in a paul dot com webcast and
talking all things software security. Please tune in if you can, and spread
the word!
http://securityweekly.com/watch
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
blog
hi sc-l,
Greetings from RSA, where the show gets underway today. I hope to see some
sc-l readers out here. (Come see us duing the show
https://www.cigital.com/blog/2014/01/rsa-2014/.)
Episode 95 of silver bullet features a conversation with Charie Miller, who now
works at Twitter as a
hi sc-l,
Episode 94 (in a row) of Silver Bullet features a conversation with Ming Chow,
a developer who got interested in security and accidentally became a software
security guy teaching at Tufts. We talk about that. We talk about exploiting
online games (and using that as a teaching
hi sc-l,
The latest monthy SearchSecurity article was co-authored with Jim Routh, CSO of
Aetna. What Jim is doing for his fifth (!!) software security initiative is
very interesting. So interesting that we decided to write about it.
In particular pay attention to Jim's use of a light weight
hi sc-l,
Following on the heels of our SearchSecurity article on Architectural Risk
Analysis (probably the most difficult touchpoint in software security), Jim
DelGrosso and I write about how to scale ARA.
http://bit.ly/19Jmk7f (or
hi sc-l,
When it rains, it pours. Just in time for xmas eve, here is Silver Bullet
episode 93. The podcast features a discussion with Yoshi Kohno (a cigital
alum) who is now a computer science professor at University of Washington.
You've probably heard of Yoshi's car hacking stuff (or
hi sc-l,
From time to time we talk about getting to the dev community here. This
article is at least in the right publication!
Read it and pass it on:
http://adtmag.com/blogs/watersworks/2013/12/bsimm-v-released.aspx
Salubrious solstice! One week and one day to go.
gem
hi sc-l,
Just in time for turkey-induced coma listening time, Silver Bullet episode 92
features Jon Callas. Jon is an old school geek (on the net since 1979) who has
occupied a front row seat during all of the crypto wars. His company Silent
Circle is actively trying to build a real secure
hi sc-l,
Episode 91 of Silver Bullet features a conversation with Cigital's Caroline
Wong. We talk a lot about BSIMM (behind the scenes) as part of the BSIMM-V
launch. BSIMM-V will be officially released at 9am EST 10.30.13!
As an experienced practitioner (Symantec, eBay, Zynga), Caroline
hi sc-l,
I am proud to announce that the BSIMM-V document is complete and the website
has been entirey revised/updated. Please download a copy of BSIMM-V today:
http://bsimm.com
BSIMM-V describes the software security initiatives at sixty-seven firms,
including: Adobe, Aetna, Bank of
hi sc-l,
On one of the best Silver Bullet security podcasts in many a moon, I interview
Matthew Green, research professor at Johns Hopkins university. Remember that
university professor whose NSA-related posting was given a takedown notice?
That was Matthew. Find out what he thought of all
hi sc-l,
As part of gearing up our Atlanta office, Cigital is co-sponsoring an event
with TAG (technology association of georgia) on Tuesday October 1st. The event
will feature a fireside chat with Marcus Ranum and me about software and
software security. Why is software still so bad, and
hi sc-l,
HP just put up a video of the keynote I delivered yesterday at HP Protect.
Here it is!
http://www.cigital.com/justice-league-blog/2013/09/17/zombies-just-what-dr-mcgraw-ordered/
gem
p.s. Who knows Dinis in a can??
___
Secure Coding
hi marinus,
Sorry for the (spam filter related) delay!
Two of the steps that we define in the ARA article address your idea directly.
Step1: known-attack analysis certainly leverages knowledge about components,
packages, and design patterns (associated with known attacks) and stuff you
hi sc-l,
Software security in general spends a lot of time talking about bugs---too much
time, I believe. We all know that software defects come in two major
subclasses: bugs (in the implementation) and flaws (in the design). So, how do
you find and FIX flaws?
That's what this month's
hi sc-l,
This year's keynote talk at HP Protect will be all about software security.
How do I know? Well, I'm giving the talk. You can register here if you want
to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/
The Discover Performance magazine featured an article about
Injection
Blues' :)
Dinis
On 15 Sep 2013 09:39, Gary McGraw g...@cigital.commailto:g...@cigital.com
wrote:
hi sc-l,
This year's keynote talk at HP Protect will be all about software security.
How do I know? Well, I'm giving the talk. You can register here if you want
to attend HP Protect
hi sc-l,
SearchSecurity just posted my August article about the intersection of software
security and 5 major tech trends. It is enhanced with BSIMM data to spice it
up. Have a read http://bit.ly/137efaX (and pass it on!). Here is a (big ass)
URL for Kevin:
hi sc-l,
Christian Collberg has been among the best academicians in software protection
for over a decade. His book Surreptitious Software which is really about
obfuscation, watermarking and digital content protection is part of my Software
Security Series http://buildingsecurityin.com.
hi sc-l,
Last month, Cigital consultant Joe Harless suggested that I interview his NKU
professor James Walden. It was a good idea. Thanks Joe. I have known James
for years. He uses Software Security in some of his classes and he thinks
about software security all day.
Trained as a
hi sc-l,
The Financial Services sector is an important advocate for real software
security. At FS-ISAC this Spring in Florida, I moderated a panel about that
(including JP Morgan Chase, Capital One and Fidelity). The panel resulted in a
writeup posted today (and published in Information
hi sc-l,
Ever wonder what it is like to be a Chinese scholar living and teaching in the
US or a woman teaching computer science and engineering? We talk about that in
the 86th episode of the Silver Bullet Security Podcast featuring University of
South Carolina professor Wenyuan Xu:
hi sc-l,
Is mobile security a brand new day or the same old same old? The answer
depends on how you look at the problem. If you are a practitioner in the
trenches, there are many new and interesting shiny bits to mobile security. If
you are a security veteran, things look very familiar. In
hi sc-l,
Please come hear my talk Bug Parades, Zombies and the BSIMM: A Decade of
Software Security today at the RSA Conference. The talk is at 10:40am in room
132. I'll be making some of the BSIMM Update data from the RSA BSIMM Mixer
public. 63 firms and counting.
gem
hi sc-l,
I am slated to be a guest on MSNBC's Up With Chris Hayes tomorrow morning
(Sunday 2.24) 9:20-10:00am. They wanted to fly me to NY for the show, but the
plan now is to do this from the DC studios. We'll be talking about Cyber War.
About the show:
hi sc-l,
It's still early on Sunday, but here is a pointer to the episode:
http://nbcnews.to/YqeokE
gem
From: gem g...@cigital.commailto:g...@cigital.com
Date: Saturday, February 23, 2013 4:21 PM
To: Secure Code Mailing List
SC-L@securecoding.orgmailto:SC-L@securecoding.org
Subject: Software
hi sc-l,
I know many sc-l readers will be headed out to San Francisco next week for the
usual week of chaos surrounding RSA. Should be a blast as always.
This year I am involved in two public appearances at the RSA conference, both
of which will discuss software security explicitly. The
enemy as explained here:
http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.)
Sadly, policymakers seem to think we have completely solved the attribution
problem. We have not. This article published in Computerworld does
prudent alternative to
cyberwarfarehttp://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare
(November 1, 2012)
In fact, I have been a vocal opponent to the Cyber War drum beating that seems
to pervade Washington. Here's what I had
mobile
Original message
From: Gary McGraw g...@cigital.commailto:g...@cigital.com
Date:
To: Secure Code Mailing List
SC-L@securecoding.orgmailto:SC-L@securecoding.org
Cc: Parizo, Eric epar...@techtarget.commailto:epar...@techtarget.com
Subject: [SC-L] SearchSecurity: 13 Design
hi sc-l,
Greetings from NOLA where I am sailing this weekend.
Ever wonder what the twelve most common software security activities are?
Because of the BSIMM data, we actually know. Have a look for yourself:
to pervade security coverage.
gem
p.s. This Dennis Fisher podcast is worth a listen too:
https://threatpost.com/en_us/blogs/gary-mcgraw-bsimm4-and-how-avoid-being-slowest-zebra-092612
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
From
hi sc-l,
Today we released BSIMM4, the fourth edition of the BSIMM model built directly
from data observed in 51 firms. If you ever wonder what software assurance
looks like in commercial practice (and how to measure it), the BSIMM sheds
plenty of light on current practice.
Download a copy
hi sc-l,
Greetings from Buenos Aires where I am pushing the software security agenda in
South America this week in a series of four talks.
Silver Bullet's 77th episode features Gary Warzala, CISO of Visa. Our
discussion mirrors some of what we talked about during our fireside chat in
, but at least a talking point.
- Greg
Gary McGraw wrote, On 08/02/2012 08:40 AM:
Hi Jeff,
I'm afraid I disagree. The hyperbolic way to state this is, imagine
YOUR
lawyer faced down by Microsoft's army of lawyers. You lose.
Software liability is not the way to go in my opinion. Instead, I would
hi sc-l,
This month's [in]security article takes on Cyber Law as its topic. The US
Congress has been debating a cyber security bill this session and is close to
passing something. Sadly, the Cybersecurity and Internet Freedom Act currently
being considered in the Senate (as an answer to the
, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote:
hi sc-l,
This month's [in]security article takes on Cyber Law as its topic. The
US Congress has been debating a cyber security bill this session and is
close to passing something. Sadly, the Cybersecurity and Internet
Freedom Act
hi sc-l,
The 76th episode of Silver Bullet features a chat with Dave Evans, a professor
at UVa and a well-respected security researcher. David and I discuss (among
other things) the founding of the Interdisciplinary Major in Computer Science
(BA) at Uva and why a broad approach to Computer
Oops! forgot to include the URL. Here it is:
http://www.cigital.com/silver-bullet/show-076/
gem
From: gem g...@cigital.commailto:g...@cigital.com
Date: Friday, July 27, 2012 2:27 PM
To: Secure Code Mailing List
SC-L@securecoding.orgmailto:SC-L@securecoding.org
Cc: David Evans
/magazineContent/Gary-McGraw-on-mobil
e-security-Its-all-about-mobile-software-security
Your feedback is always welcome.
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiaceleague
book www.swsec.com
___
Secure Coding
to draw from for a pithy article on mobile security. Take
home message? Build security in! Every software security Touchpoint is
relevant and useful when it comes to mobile security.
Have a read, and pass it on. Pile on the hits:
http://searchsecurity.techtarget.com/magazineContent/Gary-McGraw
badware
addresses malware problem
http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem
(May 2012).
Some of the Flame dustup in the press this week riffed on that idea and even
mentioned the BSIMM (in the WSJ CIO Journal):
http://blogs.wsj.com/cio
hi sc-l,
There are exactly two security gurus we have covered twice in Silver Bullet:
Ross Anderson (who holds the all time record for hits) and Bruce Schneier.
Both are very interesting thinkers and thought leaders in computer security.
Episode 74 is the second Silver Bullet conversation
The article does not suggest otherwise.
gem
On 5/11/12 1:51 PM, Ben Laurie b...@google.com wrote:
On 8 May 2012 07:18, Gary McGraw g...@cigital.com wrote:
hi sc-l,
What¹s worse, bad software or malicious software? In fact, what¹s the
difference?
My second column for SearchSecurity is all
hi sc-l,
What’s worse, bad software or malicious software? In fact, what’s the
difference?
My second column for SearchSecurity is all about that. Read it today. And
pass it on.
http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem
Bottom
hi sc-l,
This morning we released episode 73 of Silver Bullet. The new show is an
interview with Robert Vamosi. Robert is a well-known security reporter, having
worked for a bunch of esteemed publications including Forbes, c!net, and
threatpost. Robert also wrote a book called When Gadgets
://searchsecurity.techtarget.com/contributor/Gary-McGraw
The very first article itself just went up today. It is titled Gary McGraw on
software security assurance: Build it in, build it right (can you tell the
Techtarget people made up the title?):
http://searchsecurity.techtarget.com/opinion/Gary-McGraw
Karen is right. That is a legacy of Watts Humphrey.
gem
From: Goertzel, Karen [USA]
goertzel_ka...@bah.commailto:goertzel_ka...@bah.com
Date: Wed, 7 Mar 2012 09:53:18 -0500
To: Martin Gilje Jaatun secse-ch...@sislab.nomailto:secse-ch...@sislab.no,
Secure Code Mailing List
hi sc-l,
There is still plenty of reactive security to be seen at RSA, but the amount of
airplay that software security is getting is going up, and the presentations on
building security in are getting better.
Elinor Mills just posted a nice summary article on c!net:
hi sc-l,
Happy tenth birthday to IEEE Security Privacy magazine. IEEE Security
Privacy plays an important role in the field at the critical intersection point
between peer reviewed science and applied technology. If you don't subscribe
yet, you should.
See
hi sc-l,
Ross Anderson's first Silver Bullet episode (episode 13) has consistently led
the download totals since its release way back when. Over 25,000 people have
listened to the episode and it remains very popular (either that or Ross is
clicking on it an awful lot himself). In order to
hi sc-l,
Third party software is a major risk category in most modern organizations (see
Third-Party Software and
Securityhttp://www.informit.com/articles/article.aspx?p=1809143). We have
been working on a BSIMM derivative called the vBSIMM to help manage third party
software risk. Today we
Lets try that again, this time with the proper email address…
From: gem g...@cigital.commailto:g...@cigital.com
Date: Tue, 27 Dec 2011 16:32:56 -0500
To: sc-l-boun...@securecoding.orgmailto:sc-l-boun...@securecoding.org
sc-l-boun...@securecoding.orgmailto:sc-l-boun...@securecoding.org
hi sc-l,
happy new year sc-l,
The 69th episode of Silver Bullet is an interview with professor Steve Myers
from Indiana University. Steve is a cryptographer who works on Phishing, but
he also teaches the security engineering course at IU. Among other topics, we
discuss the challenge of keeping
hi sc-l,
We recently convened a BSIMM Community Conference near Portland, Oregon. (For
a list of the 42 companies participating in the BSIMM project, see
http://bsimm.com/community/.) The BSIMM project describes and measures the
work of 786 SSG members, who together with a satellite of 1750
hi sc-l,
I am pleased to announce that episode 68 of the Silver Bullet Security Podcast
is an interview of Cigital's own John Steven. jOHN (or jS) as he is know
around here is a well-respected technologist and software security
practitioner. He served a stint editing the Building Security In
hi sc-l,
Happy Halloween everybody.
Sammy Migues and I just published an article on Software Security Training in
informIT based on a decade of experience delivering software security training:
http://www.informit.com/articles/article.aspx?p=1767770
The article includes some analysis of both
hi sc-l,
The 67th Silver Bullet podcast features Bill Pugh. Bill is an alpha geek who
is currently a professor at University of Maryland. You may know his FindBugs
project if you're a Java person. You may not know that Bill is also a fire
eater who once lit my solstice bonfire in an
hi steve and sc-l,
Sorry for the delay in responding. I am just catching up after spending
last week in Bloomington, Indiana. Some quick answers:
1) Was any analysis done to ensure that the 3 levels are consistent
from a maturity perspective - for example, if an organization
performed an
software security right but big companies can.
-Chris
-Original Message-
From: sc-l-boun...@securecoding.org
[mailto:sc-l-boun...@securecoding.org] On Behalf Of Steven M. Christey
Sent: Saturday, October 15, 2011 5:45 PM
To: Gary McGraw
Cc: Secure Code Mailing List
Subject: Re: [SC-L
hi sc-l,
BSIMM3 was just posted. You can download it from http://bsimm.com
Since the first BSIMM interview in October 2008, we’ve progressed from 9 to 30
to 42 firms (and more, at this point). We’ve also measured 11 firms twice—with
about 19 months between measurements on average—providing
hi sc-l,
This minor flame war reminds me of the '80s! Hurray.
I have worked hard to inject software security (the building kind) into two
conferences: The first was the SD West/SD East set of shows where I started a
software security track, did a keynote, invited Schneier to speak, etc. The
1 - 100 of 378 matches
Mail list logo
