[SC-L] Silver Bullet 64: Markus Schumacher

hi sc-l, We just posted the 64th episode of Silver Bullet---an interview of Markus Schumacher, CEO and co-founder of Virtual Forge. Markus worked for many years at SAP and his startup sells a static analysis tool focused on SAP's ABAP language. I find it interesting that the ERP market is beg

[SC-L] Innovation and tech transfer

hi sc-l, At the Software Experts Summit held in silicon valley in May, Linda Rising heard my talk on the state of software security and the BSIMM. In a hallway conversation, she asked my to revise my informIT article on technology transfer and innovation to publish in IEEE Software. A copy of

[SC-L] Silver Bullet 65: Giovanni Vigna

hi sc-l, Though Sammy, Brian, and I are busy building BSIMM3 today (lots of data to crunch since we have 80 vectors, 12 re-measurements, and 42 firms!), we posted the latest episode of Silver Bullet anyway. This episode features UC Santa Barbara professor Giovanni Vigna. Giovanni has always p

[SC-L] informIT: Building versus Breaking

hi sc-l, I went to Blackhat for the first time ever this year (even though I am basically allergic to Las Vegas), and it got me started thinking about building things properly versus breaking things in our field. Blackhat was mostly about breaking stuff of course. I am not opposed to breaking

Re: [SC-L] "Building" conferences (was: informIT: Building versus Breaking)

hi sc-l, This minor flame war reminds me of the '80s! Hurray. I have worked hard to inject software security (the building kind) into two conferences: The first was the SD West/SD East set of shows where I started a software security track, did a keynote, invited Schneier to speak, etc. The

[SC-L] BSIMM3 lives

hi sc-l, BSIMM3 was just posted. You can download it from http://bsimm.com Since the first BSIMM interview in October 2008, we’ve progressed from 9 to 30 to 42 firms (and more, at this point). We’ve also measured 11 firms twice—with about 19 months between measurements on average—providing the

[SC-L] Silver Bullet 66: Shari Lawrence Pfleeger

hi sc-l, Shari Lawrence Pfleeger is an exceptional software engineer who has written many of the textbooks in common use today for both Computer Security and Software Engineering. Her work in software measurement and metrics is also very well known. Shari is the 66th Silver Bullet podcast vic

Re: [SC-L] BSIMM3 lives

hi steve and sc-l, Sorry for the delay in responding. I am just catching up after spending last week in Bloomington, Indiana. Some quick answers: > 1) Was any analysis done to ensure that the 3 levels are consistent > from a maturity perspective - for example, if an organization > performed an

Re: [SC-L] BSIMM3 lives

d. I pulled out this data in my argument against Mary Ann >Davidson when she posited that maybe small ISVs can't be trusted to get >software security right but big companies can. > >-Chris > > >-Original Message- >From: sc-l-boun...@securecoding.org >[mailto:sc-

Re: [SC-L] BSIMM3 lives

WRT programming Satan's computer is probably in order. See what Schneier says here: http://www.schneier.com/essay-185.html FWIW, 23 of 42 firms practice activity SFD2.1. None of them make use of ESAPI. gem On 10/19/11 11:22 PM, "Kevin W. Wall" wrote: >On Tue, Oct 18, 201

[SC-L] informIT: Software Security Training

hi sc-l, Happy Halloween everybody. Sammy Migues and I just published an article on Software Security Training in informIT based on a decade of experience delivering software security training: http://www.informit.com/articles/article.aspx?p=1767770 The article includes some analysis of both da

[SC-L] silver bullet: bill pugh

hi sc-l, The 67th Silver Bullet podcast features Bill Pugh. Bill is an alpha geek who is currently a professor at University of Maryland. You may know his FindBugs project if you're a Java person. You may not know that Bill is also a fire eater who once lit my solstice bonfire in an interest

[SC-L] informIT: third-party software and security

hi sc-l, We recently convened a BSIMM Community Conference near Portland, Oregon. (For a list of the 42 companies participating in the BSIMM project, see .) The BSIMM project describes and measures the work of 786 SSG members, who together with a satellite of 1750

[SC-L] Silver Bullet 68

hi sc-l, I am pleased to announce that episode 68 of the Silver Bullet Security Podcast is an interview of Cigital's own John Steven. jOHN (or jS) as he is know around here is a well-respected technologist and software security practitioner. He served a stint editing the Building Security In

[SC-L] informIT: BSIMM versus SAFECode

Lets try that again, this time with the proper email address… From: gem mailto:g...@cigital.com>> Date: Tue, 27 Dec 2011 16:32:56 -0500 To: "sc-l-boun...@securecoding.org" mailto:sc-l-boun...@securecoding.org>> hi sc-l, How about a little software security

[SC-L] Silver Bullet 69: Steve Myers

happy new year sc-l, The 69th episode of Silver Bullet is an interview with professor Steve Myers from Indiana University. Steve is a cryptographer who works on Phishing, but he also teaches the security engineering course at IU. Among other topics, we discuss the challenge of keeping academi

[SC-L] informIT: vBSIMM revised

hi sc-l, Third party software is a major risk category in most modern organizations (see Third-Party Software and Security). We have been working on a BSIMM derivative called the vBSIMM to help manage third party software risk. Today w

[SC-L] Silver Bullet 70: Ross Anderson Reprise

hi sc-l, Ross Anderson's first Silver Bullet episode (episode 13) has consistently led the download totals since its release way back when. Over 25,000 people have listened to the episode and it remains very popular (either that or Ross is clicking on it an awful lot himself). In order to com

[SC-L] RSA Panel on Tech Transfer

hi sc-l, Like many of you, I will be at RSA in a couple of weeks. One of the two panels I will be on this year is about Technology Transfer, Innovation, and Entrepreneurship. A recent (yesterday) special issue of Computing Now leads in to our panel discussion: http://www.computer.org/portal/

[SC-L] IEEE S&P highlight

hi sc-l, Happy tenth birthday to IEEE Security & Privacy magazine. IEEE Security & Privacy plays an important role in the field at the critical intersection point between peer reviewed science and applied technology. If you don't subscribe yet, you should. See http://www.cigital.com/justice

[SC-L] Silver Bullet 71: Bill Arbaugh

hi sc-l, Greetings from RSA where software security is getting tons of airtime this year, much of which devoted to software security initiatives. Bill Arbaugh is a particularly interesting security practitioner. He has served in the military, worked at the NSA, been an academic, founded and so

[SC-L] c!net article on the RSA hamster wheel

hi sc-l, There is still plenty of reactive security to be seen at RSA, but the amount of airplay that software security is getting is going up, and the presentations on building security in are getting better. Elinor Mills just posted a nice summary article on c!net: http://news.cnet.com/8301-2

Re: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers

Karen is right. That is a legacy of Watts Humphrey. gem From: "Goertzel, Karen [USA]" mailto:goertzel_ka...@bah.com>> Date: Wed, 7 Mar 2012 09:53:18 -0500 To: Martin Gilje Jaatun mailto:secse-ch...@sislab.no>>, Secure Code Mailing List mailto:SC-L@securecoding.org>> Subject: Re: [SC-L] Fwd: [S

[SC-L] Silver Bullet: Randy Sabett

hi sc-l, Randy Sabett is a lawyer (with a JD) specializing in security and privacy law. He was once a crypto engineer with the NSA, and his geek cred is legit. Randy is victim, er, guest 72 on the Silver Bullet Security Podcast. Have a listen: http://www.cigital.com/silver-bullet/show-072/

[SC-L] SearchSecurity: Build it in, build it right

://searchsecurity.techtarget.com/contributor/Gary-McGraw The very first article itself just went up today. It is titled "Gary McGraw on software security assurance: Build it in, build it right" (can you tell the Techtarget people made up the title?): http://searchsecurity.techtarget.com/opinion/G

[SC-L] Silver Bullet 73: Robert Vamosi

hi sc-l, This morning we released episode 73 of Silver Bullet. The new show is an interview with Robert Vamosi. Robert is a well-known security reporter, having worked for a bunch of esteemed publications including Forbes, c!net, and threatpost. Robert also wrote a book called "When Gadgets

[SC-L] SearchSecurity: Badware versus malware

hi sc-l, What’s worse, bad software or malicious software? In fact, what’s the difference? My second column for SearchSecurity is all about that. Read it today. And pass it on. http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem Bottom

Re: [SC-L] SearchSecurity: Badware versus malware

The article does not suggest otherwise. gem On 5/11/12 1:51 PM, "Ben Laurie" wrote: >On 8 May 2012 07:18, Gary McGraw wrote: >> hi sc-l, >> >> What¹s worse, bad software or malicious software? In fact, what¹s the >>difference? >> >> My s

[SC-L] Flame provides an opportunity

y in May: Eliminating badware addresses malware problem <http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem> (May 2012). Some of the Flame dustup in the press this week riffed on that idea and even mentioned the BSIMM (in the WSJ CIO Jou

[SC-L] Silver Bullet 74: Bruce Schneier

hi sc-l, There are exactly two security gurus we have covered twice in Silver Bullet: Ross Anderson (who holds the all time record for hits) and Bruce Schneier. Both are very interesting thinkers and thought leaders in computer security. Episode 74 is the second Silver Bullet conversation with

[SC-L] SearchSecurity: Mobile Security = Software Security

odder to draw from for a pithy article on mobile security. Take home message? Build security in! Every software security Touchpoint is relevant and useful when it comes to mobile security. Have a read, and pass it on. Pile on the hits: http://searchsecurity.techtarget.com/magazineContent/Gary-M

Re: [SC-L] SearchSecurity: Mobile Security = Software Security

gt;>security Touchpoint is relevant and useful when it comes to mobile >>security. >> >> Have a read, and pass it on. Pile on the hits: >> >>http://searchsecurity.techtarget.com/magazineContent/Gary-McGraw-on-mobil >>e-security-Its-all-about-mobile-software-se

[SC-L] Silver Bullet 76: David Evans

hi sc-l, The 76th episode of Silver Bullet features a chat with Dave Evans, a professor at UVa and a well-respected security researcher. David and I discuss (among other things) the founding of the Interdisciplinary Major in Computer Science (BA) at Uva and why a broad approach to Computer Sci

Re: [SC-L] Silver Bullet 76: David Evans

Oops! forgot to include the URL. Here it is: http://www.cigital.com/silver-bullet/show-076/ gem From: gem mailto:g...@cigital.com>> Date: Friday, July 27, 2012 2:27 PM To: Secure Code Mailing List mailto:SC-L@securecoding.org>> Cc: David Evans mailto:ev...@cs.virginia.edu>> Subject: Silver Bu

[SC-L] SearchSecurity: Cyber Security and the Law

hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the p

Re: [SC-L] SearchSecurity: Cyber Security and the Law

thing is cost >effective at the moment). > >Jeff > >On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw wrote: >> hi sc-l, >> >> This month's [in]security article takes on Cyber Law as its topic. The >>US Congress has been debating a cyber security bill

Re: [SC-L] SearchSecurity: Cyber Security and the Law

tting customers to care about their device's >security, and 2) making a vendor's commitment to security recognizable >by the customer. By no means ideal, but at least a talking point. > >- Greg > >Gary McGraw wrote, On 08/02/2012 08:40 AM: >> Hi Jeff, >> >>

[SC-L] Silver Bullet 77: Gary Warzala of Visa

hi sc-l, Greetings from Buenos Aires where I am pushing the software security agenda in South America this week in a series of four talks. Silver Bullet's 77th episode features Gary Warzala, CISO of Visa. Our discussion mirrors some of what we talked about during our fireside chat in Blooming

[SC-L] BSIMM4 Released Today

hi sc-l, Today we released BSIMM4, the fourth edition of the BSIMM model built directly from data observed in 51 firms. If you ever wonder what software assurance looks like in commercial practice (and how to measure it), the BSIMM sheds plenty of light on current practice. Download a copy to

Re: [SC-L] BSIMM4 Released Today

that seems to pervade security coverage. gem p.s. This Dennis Fisher podcast is worth a listen too: https://threatpost.com/en_us/blogs/gary-mcgraw-bsimm4-and-how-avoid-being-slowest-zebra-092612 company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.

[SC-L] Ten Commandments for Software Security

hi sc-l, You all know by now that the BSIMM is a descriptive model and not a prescriptive one. But at Cigital we're happy to give prescriptive advice about software security based on our experience as well. Without further ado, the ten commandments for software security: 0. Thou shalt lead t

[SC-L] Silver Bullet 79: Per-Olof Persson

hi sc-l, Episode 79 of Silver Bullet features a conversation with Per-Olof Persson, a European leader in software security and Global Head of Software Security for Sony Mobile. If you ever wonder what a Board of Directors thinks about software security, this episode will help you understand th

[SC-L] Cyber War and Software Security

just published an article I wrote about cyber war and prudent defense (as opposed to "active defense" which is really offense). If all of this sounds confusing, have a read and see what you think: http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defen

[SC-L] Silver Bullet: Thomas Rid

hi sc-l, Earlier this month, I had the pleasure of visiting Thomas Rid and giving a talk on cyber war at King's College London. Thomas and I had a great discussion after the talk, and I asked him to do a silver bullet episode. http://www.cigital.com/silver-bullet/show-080/ Episode 80 is a bit

[SC-L] SearchSecurity: Twelve Most Common BSIMM Activities

hi sc-l, Greetings from NOLA where I am sailing this weekend. Ever wonder what the twelve most common software security activities are? Because of the BSIMM data, we actually know. Have a look for yourself: http://searchsecurity.techtarget.com/news/2240174114/Twelve-common-software-security-ac

[SC-L] Silver Bullet 81: Steve Bellovin

hi sc-l, Merry New Year to you all! Here's to more secure software in 2013. The latest Silver Bullet episode, number 81, went live today, featuring security grey beard Steve Bellovin. Steve's long and storied career spans the invention of Usenet in grad school, through Bell Labs, to Columbia

[SC-L] SearchSecurity: 13 Design Principles for 2013

hi sc-l, Merry new year to you all. About the hardest part of software security is design. Everything about it is hard: secure design, threat modeling, architectural risk analysis, etc. Even convincing slow pokes that there is a difference between bugs and flaws is hard (you should see the "

Re: [SC-L] SearchSecurity: 13 Design Principles for 2013

mp; S's fundamental assumptions do not apply in Gelernter's universe. For example how do I completely mediate in a federation? Answer: you dont you have partial control at best. http://1raindrop.typepad.com/1_raindrop/2008/06/mashup-of-the-titans.html Gunnar Sent from my mobile --

[SC-L] Silver Bullet 82: Kevin Fu

hi sc-l, Kevin Fu is an interesting guy. An MIT Ph.D., Kevin did a post doc with Avi Rubin at Johns Hopkins and then moved on to be a professor at UMass. As of January, he moved his lab to University of Michigan. Among other interests, Kevin is an expert in embedded medical device security.

[SC-L] Silver Bullet 79: Per-Olof Persson (Sony Mobile) transcript posted

hi sc-l, We just posted the transcript for episode 79 of the Silver Bullet Podcast featuring Per-Olof Persson of Sony Mobile: http://www.cigital.com/silverbullet-files/shows/silverbullet-079-ppersson.pdf The transcript will appear in IEEE Security & Privacy magazine soon. gem company www.cigit

[SC-L] "Active Defense" is Irresponsible

oactive defense prudent alternative to cyberwarfare<http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare> (November 1, 2012) In fact, I have been a vocal opponent to the Cyber War drum beating that seems to pervade Washingt

[SC-L] Chinese Hacking, Mandiant and Cyber War

the wrong enemy as explained here: http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.) Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerwor

[SC-L] See you next week at RSA 2013

hi sc-l, I know many sc-l readers will be headed out to San Francisco next week for the usual week of chaos surrounding RSA. Should be a blast as always. This year I am involved in two public appearances at the RSA conference, both of which will discuss software security explicitly. The first

[SC-L] Software Security on MSNBC Sunday morning TV (9:20am)

hi sc-l, I am slated to be a guest on MSNBC's "Up With Chris Hayes" tomorrow morning (Sunday 2.24) 9:20-10:00am. They wanted to fly me to NY for the show, but the plan now is to do this from the DC studios. We'll be talking about Cyber War. About the show: http://www.nytimes.com/2012/06/2

Re: [SC-L] Software Security on MSNBC Sunday morning TV (9:20am)

hi sc-l, It's still early on Sunday, but here is a pointer to the episode: http://nbcnews.to/YqeokE gem From: gem mailto:g...@cigital.com>> Date: Saturday, February 23, 2013 4:21 PM To: Secure Code Mailing List mailto:SC-L@securecoding.org>> Subject: Software Security on MSNBC Sunday morning T

[SC-L] BSIMM talk at RSA

hi sc-l, Please come hear my talk "Bug Parades, Zombies and the BSIMM: A Decade of Software Security" today at the RSA Conference. The talk is at 10:40am in room 132. I'll be making some of the BSIMM Update data from the RSA BSIMM Mixer public. 63 firms and counting. gem _

[SC-L] Silver Bullet 84: W Hord Tipton of ISC^2

hi sc-l, Paco Hope and I have debated security certifications for years (a friendly battle of sorts). During my last trip to London on a train to go visit Ross Anderson in Cambridge, Paco suggested that I interview ISC^2 Executive Director Hord Tipton. I'm glad I did! Hord and I talk about h

[SC-L] Silver Bullet 85:Mobile Security with Jim Routh and Scott Matsumoto

hi sc-l, Is mobile security a brand new day or the same old same old? The answer depends on how you look at the problem. If you are a practitioner in the trenches, there are many new and interesting shiny bits to mobile security. If you are a security veteran, things look very familiar. In

[SC-L] Silver Bullet 86: Wenyuan Xu

hi sc-l, Ever wonder what it is like to be a Chinese scholar living and teaching in the US or a woman teaching computer science and engineering? We talk about that in the 86th episode of the Silver Bullet Security Podcast featuring University of South Carolina professor Wenyuan Xu: bit.ly/14e8

[SC-L] TechTarget: Proactive Security in Financial Services

hi sc-l, The Financial Services sector is an important advocate for real software security. At FS-ISAC this Spring in Florida, I moderated a panel about that (including JP Morgan Chase, Capital One and Fidelity). The panel resulted in a writeup posted today (and published in Information Secur

[SC-L] SearchSecurity: The NSA leaks (verizon and prism)

hi sc-l, When we build systems, we need to do some thinking about privacy along with our thinking about security. If we don't anticipate how our systems and the data they collect migt be abused, we might not make the right design decicions. Just ask Facebook. Today, SearchSecurity posted my

[SC-L] Silver Bullet 87: James Walden

hi sc-l, Last month, Cigital consultant Joe Harless suggested that I interview his NKU professor James Walden. It was a good idea. Thanks Joe. I have known James for years. He uses "Software Security" in some of his classes and he thinks about software security all day. Trained as a partic

[SC-L] Silver Bullet 88: Christian Collberg

hi sc-l, Christian Collberg has been among the best academicians in software protection for over a decade. His book "Surreptitious Software" which is really about obfuscation, watermarking and digital content protection is part of my Software Security Series . C

[SC-L] SearchSecurity: 5 Tech Trends and Software Security

hi sc-l, SearchSecurity just posted my August article about the intersection of software security and 5 major tech trends. It is enhanced with BSIMM data to spice it up. Have a read http://bit.ly/137efaX (and pass it on!). Here is a (big ass) URL for Kevin: http://searchsecurity.techtarget.

[SC-L] Silver Bullet 89: Mike Reiter

hi sc-l, Silver Bullet episode 89 was posted yesterday. It features a conversation with Professor Mike Reiter from UNC. Mike's work is well known in distributed systems and networking. He has done a bit of work in software security. Have a listen: http://www.cigital.com/silver-bullet/show-0

[SC-L] SearchSecurity: Architecture Risk Analysis

hi sc-l, Software security in general spends a lot of time talking about bugs---too much time, I believe. We all know that software defects come in two major subclasses: bugs (in the implementation) and flaws (in the design). So, how do you find and FIX flaws? That's what this month's Search

[SC-L] HP Protect Keynote (next week 9.17.13)

hi sc-l, This year's keynote talk at HP Protect will be all about software security. How do I know? Well, I'm giving the talk. You can register here if you want to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/ The Discover Performance magazine featured an article about soft

Re: [SC-L] HP Protect Keynote (next week 9.17.13)

like the O2 Platform (and ThreadFix) to integrate+glue the application security knowledge created by tools and humans :) For the record I'm gutted that HP can't organise an 'Conference Band' like the 'Owasp band' so that we can do our yearly rendition of the 'SQL

[SC-L] HP Protect keynote

hi sc-l, HP just put up a video of the keynote I delivered yesterday at HP Protect. Here it is! http://www.cigital.com/justice-league-blog/2013/09/17/zombies-just-what-dr-mcgraw-ordered/ gem p.s. Who knows "Dinis in a can??" ___ Secure Coding mail

Re: [SC-L] SearchSecurity: Architecture Risk Analysis

hi marinus, Sorry for the (spam filter related) delay! Two of the steps that we define in the ARA article address your idea directly. Step1: known-attack analysis certainly leverages knowledge about components, packages, and design patterns (associated with known attacks) and "stuff you inher

[SC-L] Atlanta event OCT 1st

hi sc-l, As part of gearing up our Atlanta office, Cigital is co-sponsoring an event with TAG (technology association of georgia) on Tuesday October 1st. The event will feature a fireside chat with Marcus Ranum and me about software and software security. "Why is software still so bad, and wh

[SC-L] Silver Bullet 90: Matthew Green

hi sc-l, On one of the best Silver Bullet security podcasts in many a moon, I interview Matthew Green, research professor at Johns Hopkins university. Remember that university professor whose NSA-related posting was given a takedown notice? That was Matthew. Find out what he thought of all t

[SC-L] Silver Bullet 91: Caroline Wong

hi sc-l, Episode 91 of Silver Bullet features a conversation with Cigital's Caroline Wong. We talk a lot about BSIMM (behind the scenes) as part of the BSIMM-V launch. BSIMM-V will be officially released at 9am EST 10.30.13! As an experienced practitioner (Symantec, eBay, Zynga), Caroline bri

[SC-L] BSIMM-V is alive

hi sc-l, I am proud to announce that the BSIMM-V document is complete and the website has been entirey revised/updated. Please download a copy of BSIMM-V today: http://bsimm.com BSIMM-V describes the software security initiatives at sixty-seven firms, including: Adobe, Aetna, Bank of America,

[SC-L] Silver Bullet 92: Jon Callas

hi sc-l, Just in time for turkey-induced coma listening time, Silver Bullet episode 92 features Jon Callas. Jon is an old school geek (on the net since 1979) who has occupied a front row seat during all of the crypto wars. His company Silent Circle is actively trying to build a real secure em

[SC-L] BSIMM-V Article in Application Development Times

hi sc-l, >From time to time we talk about getting to the dev community here. This >article is at least in the right publication! Read it and pass it on: http://adtmag.com/blogs/watersworks/2013/12/bsimm-v-released.aspx Salubrious solstice! One week and one day to go. gem __

[SC-L] SearchSecurity: Scaling Architectural Risk Analysis

hi sc-l, Following on the heels of our SearchSecurity article on Architectural Risk Analysis (probably the most difficult touchpoint in software security), Jim DelGrosso and I write about how to scale ARA. http://bit.ly/19Jmk7f (or http://searchsecurity.techtarget.com/opinion/McGraw-Software

[SC-L] Silver Bullet 93: Yoshi Kohno

hi sc-l, When it rains, it pours. Just in time for xmas eve, here is Silver Bullet episode 93. The podcast features a discussion with Yoshi Kohno (a cigital alum) who is now a computer science professor at University of Washington. You've probably heard of Yoshi's car hacking stuff (or maybe

[SC-L] SearchSecurity: Scaling Automated Code Review

hi sc-l, The latest monthy SearchSecurity article was co-authored with Jim Routh, CSO of Aetna. What Jim is doing for his fifth (!!) software security initiative is very interesting. So interesting that we decided to write about it. In particular pay attention to Jim's use of a light weight I

[SC-L] Silver Bullet 94: Ming Chow (Tufts)

hi sc-l, Episode 94 (in a row) of Silver Bullet features a conversation with Ming Chow, a developer who got interested in security and accidentally became a software security guy teaching at Tufts. We talk about that. We talk about exploiting online games (and using that as a teaching mechani

[SC-L] Silver Bullet 95: Charlie Miller

hi sc-l, Greetings from RSA, where the show gets underway today. I hope to see some sc-l readers out here. (Come see us duing the show https://www.cigital.com/blog/2014/01/rsa-2014/.) Episode 95 of silver bullet features a conversation with Charie Miller, who now works at Twitter as a securi

[SC-L] Paul dot com podcast on #swsec at 6pm EST

hi sc-l, Tonight at 6pm EST I will be participating in a paul dot com webcast and talking all things software security. Please tune in if you can, and spread the word! http://securityweekly.com/watch gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justic

[SC-L] IEEE Computer article

hi sc-l, I was asked to write an article for IEEE Computer’s security column this month. It’s about software security. Security Fatigue? Shift Your Paradigm, (IEEE Computer Society, March 2014) As always, your feedback is welcome. You

[SC-L] Firewalls, Fairy Dust, and Forensics

hi sc-l, Ever get discouraged that we have not been making enough progress in software security? Well, we have been making plenty of progress and our field is growing fast! This peppy little article (co-authored with Sammy Migues) explains why firewalls, fairy dust, and forensics are not wor

Re: [SC-L] [External] Firewalls, Fairy Dust, and Forensics

bah.com > >"I love humans. Always seeing patterns in things that aren't there." >- The Doctor > >____ >From: SC-L [sc-l-boun...@securecoding.org] on behalf of Gary McGraw >[g...@cigital.com] >Sent: 31 March 2014 18:40 >To: S

[SC-L] Silver Bullet 96: Nate Fick, CEO of Endgame (and combat veteran)

hi sc-l, Nate Fick is an interesting man. He has a classics degree from Dartmouth, where he is now a Trustee. He served combat tours in Afghanistan and Iraq, resulting in the book “One Bullet Away” and the HBO series “Generation Kill.” He served as the CEO of an important new think thank, th

[SC-L] Silver Bullet 97 + SearchSecurity Heartbleed

hi sc-l, Heartbleed? Who cares? We do. Real lessons here >> http://bit.ly/1lBKDsE Silver Bullet 97. Programming languages actually matter. >> http://www.cigital.com/silver-bullet/show-097/ Read. Listen. Share. React. We want your feedback. gem ___

[SC-L] Silver Bullet 98: Bart MIller

hi sc-l, Bart Miller, computer science professor from Wisconsin, coined the term fuzz testing in 1990. He also is the PI for the DHS SWAMP---a software assurance marketplace of sorts. Bart knows a ton abiut software analysis. In episode 98 of Silver Bullet, we geek out about software security

[SC-L] SearchSecurity: Medical Devices and Software Security

hi sc-l, Chandu Ketkar and I wrote an article about medical device security based on a talk Chandu gave at Kevin Fu’s Archimedes conference in Ann Arbor. In the article, we discuss six categories of security defects that Cigital discovers again and again when analyzing medical devices for our

[SC-L] Silver Bullet 99: Michael Hicks

hi sc-l, Silver Bullet Security Podcast number 99 (99 months in a row!!) was just posted. This episode features a programming languages smorgasbord with Michael Hicks, professor of CS and security at University of Maryland. We talk type safety, closure, why C is bad, what makes dynamic langua

Re: [SC-L] [External] Re: SearchSecurity: Medical Devices and Software Security

ry, or >>dangerous. I wish all these manufacturers who waste their times trying >>to invent a better toaster would, instead, invent something entirely new >>to solve a problem that hasn't already been solved quite adequately for >>many decades. No wonder American manuf

[SC-L] Silver Bullet Episode 100 (!!): Cigital's Principals

hi sc-l, Thanks for listening to the Silver Bullet Security Podcast for the eight 1/3 years it has been produced. Each episode has been downloaded over 10,787 times on average with over 1,067,948 downloads for the podcast as a whole. That's lots of listening! To celebrate our 100 months in a

[SC-L] IEEE Center for Secure Design [searchsecurity and silver bullet]

hi sc-l, This evening in SF we are officially launching the IEEE Center for Seure Design with a small event including security people and press. Jim DelGrosso and I will make a short presentation about the CSD during the launch. I devoted both of my monthly pieces (Silver Bullet and SearchSec

[SC-L] Silver Bullet 102: Richard Danzig

hi sc-l, The 102nd monthly episode of the Silver Bullet podcast features a conversation with Richard Danzig. Richard is a very accomplished leader who served as Secretary of the Navy (among other powerful positions). He is currenty a member of the Board of the Center for a New American Securi

[SC-L] Silver Bullet: Brian Krebs

hi sc-l, Silver Bullet episode 103 features Brian Krebs, whose website http://krebsonsecurity.com is among the leading security reporting sites on the planet. Brian was once a reporter for the Washington Post, but he went solo after being let go (too deep for the dinosaur). Krebs broke a number

[SC-L] medical device security [searchsecurity]

hi sc-l, Happy belated dead turkey day to everyone in the US. Happy today day to everyone else. I'm on my way this week to a healthcare and security meeting in San Francisco this week. Just in time for that, this month's SearchSecurity column focuses on healthcare, asking who is in charge (a

[SC-L] Silver Bullet: Rick Gordon

hi sc-l, Silver Bullet episode 104 features Rick Gordon, Managing Partner of Mach37, a Virginia-based cybersecurity incubator. We talk nuclear subs, finance, running startups, and just exactly what an incubator does: http://www.cigital.com/silver-bullet/show-104/ Your feedback is welcome. gem

[SC-L] Silver Bullet: Whitfield Diffie

hi sc-l, Merry New Year to you all!! Episode 105 of Silver Bullet is an interview with Whitfield Diffie. Whit co-invented PKI among other things. We have an in depth talk about crypto, computation, LISP, AI, quantum key distro, and more http://bit.ly/SB-diffie As always, your feedback on Si

[SC-L] Superbowl Silver Bullet Security Podcast 106: Steve Katz

hi sc-l, What’s better than the Superbowl? Silver Bullet of course! Hah. Have a listen to episode 106 featuring Steve Katz, widely revered as the world’s first CISO. Steve has served as CISO of citibank/citigroup, JP Morgan, Merril Lynch, and Kaiser Permanente. (We serve on one Advisory Bo

[SC-L] The Web Platform podcast talks security

hi sc-l, An entire gaggle of devs and architects interviews me about software security. have a listen. Pass it on >> http://thewebplatform.libsyn.com/28-securing-your-web-applications gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.

<    1   2   3   4   5   6   >