[SC-L] Silver Bullet 122: David Nathans

2016-06-07 Thread Gary McGraw
Hi sc-l, The latest episode of Silver Bullet features a conversation with David Nathans from Siemens Healthcare. David got his start in security ops, and even wrote a book about that. But he completely understands why product security is essential in the modern world and has been moving

[SC-L] Silver Bullet celebrates a decade of shows: Gary McGraw

2016-04-01 Thread Gary McGraw
hi sc-l, Hard to believe, but Silver Bullet has been running for ten years---120 months of shows in a row without missing a month. To celebrate this accomplishment, we shot a video for episode 120 out by the Shenandoah river at my house. And we turned the tables on the interview. Marcus

[SC-L] Silver Bullet 119: Jacob West on the IEEE CSD Wearables report (design review)

2016-02-29 Thread Gary McGraw
hi sc-l, It’s leap day and RSA week! We just posted Silver Bullet episode 119 featuring BSIMM co-author and IEEE CSD co-founder Jacob West talking about the latest IEEE CSD report. Architecture analysis lags behind other touchpoints when it comes to software security practices. The CSD

[SC-L] Silver Bullet: Jack Daniel

2016-02-01 Thread Gary McGraw
hi sc-l, For the first Silver Bullet of 2016 I have a chat with Jack Daniel, co-founder of the Bsides Conferences. We talk about security communities, the evolution of the field, car repair, complex systems, the waning security Rennaissance, and other matters. We conclude with a quick

[SC-L] Silver Bullet 117: Jamie Butler

2015-12-26 Thread Gary McGraw
hi sc-l, The current episode of the Silver Bullet Security Podcast features Jamie Butler, CTO of Endgame. Jamie and I talk rootkits (he wrote the book with Greg Hoglund), attack patters, defense and offense. Jamie has a long career in security (17 years) spanning early days at Fort Meade,

[SC-L] Silver Bullet 116: Doug Maughan

2015-12-01 Thread Gary McGraw
hi sc-l, Doug Maughan is one of the very good people who somehow works in the federal government at DHS (I know). He has been funding reasonable science in computer security since his early DARPA days and even once funded some of our work at cigital. We talk about science, research, tech

[SC-L] Silver Bullet 115: mudge

2015-10-29 Thread Gary McGraw
hi sc-l, Cigital just posted Silver Bullet 115 which features an interview with mudge (a.k.a., Peiter Zatko). https://www.cigital.com/podcasts/show-115-peiter-mudge-zatko/ We talk l0pht, cult of the dead cow, early security days, testifying before Congress, why the government is so confused

[SC-L] BSIMM6

2015-10-19 Thread Gary McGraw
hi sc-l, Today Cigital published Release 6 of the Building Security In Maturity Model (BSIMM). The BSIMM now represents eight years of bringing science to the software security. We have directly measured over 104 companies across multiple industries (BSIMM6 covers 78 of them). BSIMM6 also

[SC-L] SearchSecurity: Seven Myths of Software Security

2015-10-06 Thread Gary McGraw
hi sc-l, You’ve heard these before I’m sure. Working on expanding or improving your software security initiative? Here are seven of the most common objections we see all the time (and what to say in response). Please read this article: http://bit.ly/swsec-myths Hopefully you will all find

[SC-L] Silver Bullet 114: Peter "Pete" Clay

2015-09-30 Thread Gary McGraw
hi sc-l, Episode 114 of Silver Bullet was just posted. This episode features Peter “Pete” Clay who has served as a CISO in several firms (Deliotte, Invotas, Qlik) and has provided security direction both in the Federal government and the private sector. Have a listen: http://bit.ly/SB-pete

[SC-L] The FTC and Software Security

2015-09-17 Thread Gary McGraw
hi sc-l, I just posted some thoughts on the FTC and software security. Have a look: http://bit.ly/gem-FTC gem ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l

[SC-L] Podcast: Threatpost covers software security

2015-09-12 Thread Gary McGraw
hi sc-l, Yesterday I recorded an episode of Threatpost with Dennis Fisher. We talk about many current topics, including how to scale software security. Have a listen and pass it on: https://threatpost.com/gary-mcgraw-on-scalable-software-security-and-medical-device-security/114640/ Topics

Re: [SC-L] Silver Bullet 113: Chandu Ketkar

2015-09-08 Thread Gary McGraw
The URL was apparently scrambled below. For the SB episode try: http://bit.ly/SB-chandu gem On 8/31/15, 12:51 PM, "SC-L on behalf of Gary McGraw" <sc-l-boun...@securecoding.org on behalf of g...@cigital.com> wrote: >hi sc-l, > >The new episode of Silver Bulle

Re: [SC-L] [External] Re: SearchSecurity: Dynamism

2015-09-08 Thread Gary McGraw
As far as I know, Microsoft integrated some reference monitoring into their OS family under Fred Schneider’s guidance. They called it “inline reference monitoring” and I believe they still use it. gem On 9/8/15, 8:49 AM, "SC-L on behalf of Goertzel, Karen [USA]"

[SC-L] Silver Bullet 113: Chandu Ketkar

2015-09-06 Thread Gary McGraw
hi sc-l, The new episode of Silver Bullet features a conversation with Chandu Ketkar. Chandu has 20+ years of experience in software, starting as a developer and working his way to a secure design proponent. Have a listen:

[SC-L] SearchSecurity: Dynamism

2015-08-20 Thread Gary McGraw
hi sc-l, What is the relationship between dynamic languages and dynamic methodologies? What is the impact on software security? This article provides a gentle introduction: http://bit.ly/gem-dynamic Feedback welcome. Pass it on. gem company www.cigital.com podcast

[SC-L] Silver Bullet 112: Matthew Green and Steve Bellovin on Crypto Back Doors

2015-07-23 Thread Gary McGraw
hi sc-l, For the latest episode of Silver Bullet, we spoke to two of the fifteen co-authors of the Keys Under Doormats paper describing the technical peril of implementing crypto back doors as FBI Director Comey has suggested. Steve Bellovin comes at the problem with years of experience and

[SC-L] Silver Bullet 111: Marcus Ranum

2015-07-07 Thread Gary McGraw
hi sc-l, Silver Bullet episode 111 is a sneaky one based around a “dirty brilliant trick. The episode features Marcus Ranum, inventor of the proxy firewall and all around security guru. We talk about perimeter security, software security, security progress (or lack of such) and whether

[SC-L] Silver Bullet 110: Paul Dorey

2015-06-04 Thread Gary McGraw
hi sc-l, Silver Bullet episode 110 features Paul Dorey. Paul was one of the original CSOs of Europe, ultimately serving as the CSO of BP. He and I are on an Advisory Board together, and most recently, Paul and I did a “fernside chat” at the BSIMM Europe Conference. We talk about the CSO

[SC-L] RSA Antidote: Bart Preneel on Silver Bullet 109

2015-04-27 Thread Gary McGraw
hi sc-l, Lots of us have RSA Conference goo leaking out of our ears by now. Yerg. Here’s a quick antidote from a serious cryptographer. Bart Preneel is a professor at KL Leuven University (founded in 1425). He is an exceptional cryptographer and a huge supporter of software security in

[SC-L] [searchsecurity] How to structure an SSG

2015-03-31 Thread Gary McGraw
hi sc-l, During the last BSIMM Conference in Monterey, CA, Caroline Wong ran a workshop/session during which all 23 firms present shared their BSIMM structures with eachother. The event was organized as a poster session. It was a great event. Caroline and I took the data, crunched it,

[SC-L] Silver Bullet 108: Katie Moussouris

2015-03-31 Thread Gary McGraw
hi sc-l, Just in time for my Spring Break college tour with Eli, here is Silver Bullet episode 108, an interview with HackerOne’s Katie Moussouris. Katie and I talk about bug bounties, early coding (sadly she was a C64 person instead of an Apple ][+ person), SDL, BlueHat, mentors, and more.

[SC-L] [article] When risk management goes bad

2015-02-24 Thread Gary McGraw
hi sc-l, I wrote my latest SearchSecurity article based on conversations I have been having with a number of CSOs and security execs. It’s about what happens when risk management goes bad. The biggest failure condition seems to be “ignoring the lows” entirely. Anyway, have a read and pass

Re: [SC-L] [article] When risk management goes bad

2015-02-24 Thread Gary McGraw
christian.heinr...@cmlh.id.au wrote: Gary, On Sat, Feb 21, 2015 at 6:13 AM, Gary McGraw g...@cigital.com wrote: I wrote my latest SearchSecurity article based on conversations I have been having with a number of CSOs and security execs. It’s about what happens when risk management goes bad

[SC-L] The Web Platform podcast talks security

2015-02-04 Thread Gary McGraw
hi sc-l, An entire gaggle of devs and architects interviews me about software security. have a listen. Pass it on http://thewebplatform.libsyn.com/28-securing-your-web-applications gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book

[SC-L] Superbowl Silver Bullet Security Podcast 106: Steve Katz

2015-02-03 Thread Gary McGraw
hi sc-l, What’s better than the Superbowl? Silver Bullet of course! Hah. Have a listen to episode 106 featuring Steve Katz, widely revered as the world’s first CISO. Steve has served as CISO of citibank/citigroup, JP Morgan, Merril Lynch, and Kaiser Permanente. (We serve on one Advisory

[SC-L] Silver Bullet: Whitfield Diffie

2015-01-01 Thread Gary McGraw
hi sc-l, Merry New Year to you all!! Episode 105 of Silver Bullet is an interview with Whitfield Diffie. Whit co-invented PKI among other things. We have an in depth talk about crypto, computation, LISP, AI, quantum key distro, and more http://bit.ly/SB-diffie As always, your feedback on

[SC-L] Silver Bullet: Brian Krebs

2014-10-31 Thread Gary McGraw
hi sc-l, Silver Bullet episode 103 features Brian Krebs, whose website http://krebsonsecurity.com is among the leading security reporting sites on the planet. Brian was once a reporter for the Washington Post, but he went solo after being let go (too deep for the dinosaur). Krebs broke a number

[SC-L] Silver Bullet 102: Richard Danzig

2014-09-21 Thread Gary McGraw
hi sc-l, The 102nd monthly episode of the Silver Bullet podcast features a conversation with Richard Danzig. Richard is a very accomplished leader who served as Secretary of the Navy (among other powerful positions). He is currenty a member of the Board of the Center for a New American

[SC-L] IEEE Center for Secure Design [searchsecurity and silver bullet]

2014-08-27 Thread Gary McGraw
hi sc-l, This evening in SF we are officially launching the IEEE Center for Seure Design with a small event including security people and press. Jim DelGrosso and I will make a short presentation about the CSD during the launch. I devoted both of my monthly pieces (Silver Bullet and

[SC-L] SearchSecurity: Medical Devices and Software Security

2014-07-03 Thread Gary McGraw
hi sc-l, Chandu Ketkar and I wrote an article about medical device security based on a talk Chandu gave at Kevin Fu’s Archimedes conference in Ann Arbor. In the article, we discuss six categories of security defects that Cigital discovers again and again when analyzing medical devices for our

[SC-L] Silver Bullet 99: Michael Hicks

2014-07-03 Thread Gary McGraw
hi sc-l, Silver Bullet Security Podcast number 99 (99 months in a row!!) was just posted. This episode features a programming languages smorgasbord with Michael Hicks, professor of CS and security at University of Maryland. We talk type safety, closure, why C is bad, what makes dynamic

[SC-L] Silver Bullet 98: Bart MIller

2014-06-05 Thread Gary McGraw
hi sc-l, Bart Miller, computer science professor from Wisconsin, coined the term fuzz testing in 1990. He also is the PI for the DHS SWAMP---a software assurance marketplace of sorts. Bart knows a ton abiut software analysis. In episode 98 of Silver Bullet, we geek out about software

[SC-L] Silver Bullet 97 + SearchSecurity Heartbleed

2014-05-06 Thread Gary McGraw
hi sc-l, Heartbleed? Who cares? We do. Real lessons here http://bit.ly/1lBKDsE Silver Bullet 97. Programming languages actually matter. http://www.cigital.com/silver-bullet/show-097/ Read. Listen. Share. React. We want your feedback. gem

Re: [SC-L] [External] Firewalls, Fairy Dust, and Forensics

2014-04-04 Thread Gary McGraw
there. - The Doctor From: SC-L [sc-l-boun...@securecoding.org] on behalf of Gary McGraw [g...@cigital.com] Sent: 31 March 2014 18:40 To: Secure Code Mailing List Subject: [External] [SC-L] Firewalls, Fairy Dust, and Forensics hi sc-l, Ever get discouraged

[SC-L] Silver Bullet 96: Nate Fick, CEO of Endgame (and combat veteran)

2014-04-04 Thread Gary McGraw
hi sc-l, Nate Fick is an interesting man. He has a classics degree from Dartmouth, where he is now a Trustee. He served combat tours in Afghanistan and Iraq, resulting in the book “One Bullet Away” and the HBO series “Generation Kill.” He served as the CEO of an important new think thank,

[SC-L] Firewalls, Fairy Dust, and Forensics

2014-04-01 Thread Gary McGraw
hi sc-l, Ever get discouraged that we have not been making enough progress in software security? Well, we have been making plenty of progress and our field is growing fast! This peppy little article (co-authored with Sammy Migues) explains why firewalls, fairy dust, and forensics are not

[SC-L] IEEE Computer article

2014-03-26 Thread Gary McGraw
hi sc-l, I was asked to write an article for IEEE Computer’s security column this month. It’s about software security. Security Fatigue? Shift Your Paradigmhttp://www.cigital.com/presentations/mco2014030081.pdf, (IEEE Computer Society, March 2014) As always, your feedback is welcome. You

[SC-L] Paul dot com podcast on #swsec at 6pm EST

2014-03-20 Thread Gary McGraw
hi sc-l, Tonight at 6pm EST I will be participating in a paul dot com webcast and talking all things software security. Please tune in if you can, and spread the word! http://securityweekly.com/watch gem company www.cigital.com podcast www.cigital.com/silverbullet blog

[SC-L] Silver Bullet 95: Charlie Miller

2014-02-28 Thread Gary McGraw
hi sc-l, Greetings from RSA, where the show gets underway today. I hope to see some sc-l readers out here. (Come see us duing the show https://www.cigital.com/blog/2014/01/rsa-2014/.) Episode 95 of silver bullet features a conversation with Charie Miller, who now works at Twitter as a

[SC-L] Silver Bullet 94: Ming Chow (Tufts)

2014-02-03 Thread Gary McGraw
hi sc-l, Episode 94 (in a row) of Silver Bullet features a conversation with Ming Chow, a developer who got interested in security and accidentally became a software security guy teaching at Tufts. We talk about that. We talk about exploiting online games (and using that as a teaching

[SC-L] SearchSecurity: Scaling Automated Code Review

2014-01-29 Thread Gary McGraw
hi sc-l, The latest monthy SearchSecurity article was co-authored with Jim Routh, CSO of Aetna. What Jim is doing for his fifth (!!) software security initiative is very interesting. So interesting that we decided to write about it. In particular pay attention to Jim's use of a light weight

[SC-L] SearchSecurity: Scaling Architectural Risk Analysis

2013-12-26 Thread Gary McGraw
hi sc-l, Following on the heels of our SearchSecurity article on Architectural Risk Analysis (probably the most difficult touchpoint in software security), Jim DelGrosso and I write about how to scale ARA. http://bit.ly/19Jmk7f (or

[SC-L] Silver Bullet 93: Yoshi Kohno

2013-12-26 Thread Gary McGraw
hi sc-l, When it rains, it pours. Just in time for xmas eve, here is Silver Bullet episode 93. The podcast features a discussion with Yoshi Kohno (a cigital alum) who is now a computer science professor at University of Washington. You've probably heard of Yoshi's car hacking stuff (or

[SC-L] BSIMM-V Article in Application Development Times

2013-12-17 Thread Gary McGraw
hi sc-l, From time to time we talk about getting to the dev community here. This article is at least in the right publication! Read it and pass it on: http://adtmag.com/blogs/watersworks/2013/12/bsimm-v-released.aspx Salubrious solstice! One week and one day to go. gem

[SC-L] Silver Bullet 92: Jon Callas

2013-11-27 Thread Gary McGraw
hi sc-l, Just in time for turkey-induced coma listening time, Silver Bullet episode 92 features Jon Callas. Jon is an old school geek (on the net since 1979) who has occupied a front row seat during all of the crypto wars. His company Silent Circle is actively trying to build a real secure

[SC-L] Silver Bullet 91: Caroline Wong

2013-10-30 Thread Gary McGraw
hi sc-l, Episode 91 of Silver Bullet features a conversation with Cigital's Caroline Wong. We talk a lot about BSIMM (behind the scenes) as part of the BSIMM-V launch. BSIMM-V will be officially released at 9am EST 10.30.13! As an experienced practitioner (Symantec, eBay, Zynga), Caroline

[SC-L] BSIMM-V is alive

2013-10-30 Thread Gary McGraw
hi sc-l, I am proud to announce that the BSIMM-V document is complete and the website has been entirey revised/updated. Please download a copy of BSIMM-V today: http://bsimm.com BSIMM-V describes the software security initiatives at sixty-seven firms, including: Adobe, Aetna, Bank of

[SC-L] Silver Bullet 90: Matthew Green

2013-10-05 Thread Gary McGraw
hi sc-l, On one of the best Silver Bullet security podcasts in many a moon, I interview Matthew Green, research professor at Johns Hopkins university. Remember that university professor whose NSA-related posting was given a takedown notice? That was Matthew. Find out what he thought of all

[SC-L] Atlanta event OCT 1st

2013-09-25 Thread Gary McGraw
hi sc-l, As part of gearing up our Atlanta office, Cigital is co-sponsoring an event with TAG (technology association of georgia) on Tuesday October 1st. The event will feature a fireside chat with Marcus Ranum and me about software and software security. Why is software still so bad, and

[SC-L] HP Protect keynote

2013-09-19 Thread Gary McGraw
hi sc-l, HP just put up a video of the keynote I delivered yesterday at HP Protect. Here it is! http://www.cigital.com/justice-league-blog/2013/09/17/zombies-just-what-dr-mcgraw-ordered/ gem p.s. Who knows Dinis in a can?? ___ Secure Coding

Re: [SC-L] SearchSecurity: Architecture Risk Analysis

2013-09-19 Thread Gary McGraw
hi marinus, Sorry for the (spam filter related) delay! Two of the steps that we define in the ARA article address your idea directly. Step1: known-attack analysis certainly leverages knowledge about components, packages, and design patterns (associated with known attacks) and stuff you

[SC-L] SearchSecurity: Architecture Risk Analysis

2013-09-15 Thread Gary McGraw
hi sc-l, Software security in general spends a lot of time talking about bugs---too much time, I believe. We all know that software defects come in two major subclasses: bugs (in the implementation) and flaws (in the design). So, how do you find and FIX flaws? That's what this month's

[SC-L] HP Protect Keynote (next week 9.17.13)

2013-09-15 Thread Gary McGraw
hi sc-l, This year's keynote talk at HP Protect will be all about software security. How do I know? Well, I'm giving the talk. You can register here if you want to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/ The Discover Performance magazine featured an article about

Re: [SC-L] HP Protect Keynote (next week 9.17.13)

2013-09-15 Thread Gary McGraw
Injection Blues' :) Dinis On 15 Sep 2013 09:39, Gary McGraw g...@cigital.commailto:g...@cigital.com wrote: hi sc-l, This year's keynote talk at HP Protect will be all about software security. How do I know? Well, I'm giving the talk. You can register here if you want to attend HP Protect

[SC-L] Silver Bullet 89: Mike Reiter

2013-09-04 Thread Gary McGraw
hi sc-l, Silver Bullet episode 89 was posted yesterday. It features a conversation with Professor Mike Reiter from UNC. Mike's work is well known in distributed systems and networking. He has done a bit of work in software security. Have a listen:

[SC-L] SearchSecurity: 5 Tech Trends and Software Security

2013-08-11 Thread Gary McGraw
hi sc-l, SearchSecurity just posted my August article about the intersection of software security and 5 major tech trends. It is enhanced with BSIMM data to spice it up. Have a read http://bit.ly/137efaX (and pass it on!). Here is a (big ass) URL for Kevin:

[SC-L] Silver Bullet 88: Christian Collberg

2013-08-01 Thread Gary McGraw
hi sc-l, Christian Collberg has been among the best academicians in software protection for over a decade. His book Surreptitious Software which is really about obfuscation, watermarking and digital content protection is part of my Software Security Series http://buildingsecurityin.com.

[SC-L] Silver Bullet 87: James Walden

2013-07-01 Thread Gary McGraw
hi sc-l, Last month, Cigital consultant Joe Harless suggested that I interview his NKU professor James Walden. It was a good idea. Thanks Joe. I have known James for years. He uses Software Security in some of his classes and he thinks about software security all day. Trained as a

[SC-L] TechTarget: Proactive Security in Financial Services

2013-06-10 Thread Gary McGraw
hi sc-l, The Financial Services sector is an important advocate for real software security. At FS-ISAC this Spring in Florida, I moderated a panel about that (including JP Morgan Chase, Capital One and Fidelity). The panel resulted in a writeup posted today (and published in Information

[SC-L] Silver Bullet 86: Wenyuan Xu

2013-05-31 Thread Gary McGraw
hi sc-l, Ever wonder what it is like to be a Chinese scholar living and teaching in the US or a woman teaching computer science and engineering? We talk about that in the 86th episode of the Silver Bullet Security Podcast featuring University of South Carolina professor Wenyuan Xu:

[SC-L] Silver Bullet 85:Mobile Security with Jim Routh and Scott Matsumoto

2013-05-03 Thread Gary McGraw
hi sc-l, Is mobile security a brand new day or the same old same old? The answer depends on how you look at the problem. If you are a practitioner in the trenches, there are many new and interesting shiny bits to mobile security. If you are a security veteran, things look very familiar. In

[SC-L] BSIMM talk at RSA

2013-02-28 Thread Gary McGraw
hi sc-l, Please come hear my talk Bug Parades, Zombies and the BSIMM: A Decade of Software Security today at the RSA Conference. The talk is at 10:40am in room 132. I'll be making some of the BSIMM Update data from the RSA BSIMM Mixer public. 63 firms and counting. gem

[SC-L] Software Security on MSNBC Sunday morning TV (9:20am)

2013-02-24 Thread Gary McGraw
hi sc-l, I am slated to be a guest on MSNBC's Up With Chris Hayes tomorrow morning (Sunday 2.24) 9:20-10:00am. They wanted to fly me to NY for the show, but the plan now is to do this from the DC studios. We'll be talking about Cyber War. About the show:

Re: [SC-L] Software Security on MSNBC Sunday morning TV (9:20am)

2013-02-24 Thread Gary McGraw
hi sc-l, It's still early on Sunday, but here is a pointer to the episode: http://nbcnews.to/YqeokE gem From: gem g...@cigital.commailto:g...@cigital.com Date: Saturday, February 23, 2013 4:21 PM To: Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Subject: Software

[SC-L] See you next week at RSA 2013

2013-02-22 Thread Gary McGraw
hi sc-l, I know many sc-l readers will be headed out to San Francisco next week for the usual week of chaos surrounding RSA. Should be a blast as always. This year I am involved in two public appearances at the RSA conference, both of which will discuss software security explicitly. The

[SC-L] Chinese Hacking, Mandiant and Cyber War

2013-02-20 Thread Gary McGraw
enemy as explained here: http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.) Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerworld does

[SC-L] Active Defense is Irresponsible

2013-02-13 Thread Gary McGraw
prudent alternative to cyberwarfarehttp://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare (November 1, 2012) In fact, I have been a vocal opponent to the Cyber War drum beating that seems to pervade Washington. Here's what I had

Re: [SC-L] SearchSecurity: 13 Design Principles for 2013

2013-01-17 Thread Gary McGraw
mobile Original message From: Gary McGraw g...@cigital.commailto:g...@cigital.com Date: To: Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Cc: Parizo, Eric epar...@techtarget.commailto:epar...@techtarget.com Subject: [SC-L] SearchSecurity: 13 Design

[SC-L] SearchSecurity: Twelve Most Common BSIMM Activities

2012-12-09 Thread Gary McGraw
hi sc-l, Greetings from NOLA where I am sailing this weekend. Ever wonder what the twelve most common software security activities are? Because of the BSIMM data, we actually know. Have a look for yourself:

Re: [SC-L] BSIMM4 Released Today

2012-09-27 Thread Gary McGraw
to pervade security coverage. gem p.s. This Dennis Fisher podcast is worth a listen too: https://threatpost.com/en_us/blogs/gary-mcgraw-bsimm4-and-how-avoid-being-slowest-zebra-092612 company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com From

[SC-L] BSIMM4 Released Today

2012-09-18 Thread Gary McGraw
hi sc-l, Today we released BSIMM4, the fourth edition of the BSIMM model built directly from data observed in 51 firms. If you ever wonder what software assurance looks like in commercial practice (and how to measure it), the BSIMM sheds plenty of light on current practice. Download a copy

[SC-L] Silver Bullet 77: Gary Warzala of Visa

2012-08-28 Thread Gary McGraw
hi sc-l, Greetings from Buenos Aires where I am pushing the software security agenda in South America this week in a series of four talks. Silver Bullet's 77th episode features Gary Warzala, CISO of Visa. Our discussion mirrors some of what we talked about during our fireside chat in

Re: [SC-L] SearchSecurity: Cyber Security and the Law

2012-08-08 Thread Gary McGraw
, but at least a talking point. - Greg Gary McGraw wrote, On 08/02/2012 08:40 AM: Hi Jeff, I'm afraid I disagree. The hyperbolic way to state this is, imagine YOUR lawyer faced down by Microsoft's army of lawyers. You lose. Software liability is not the way to go in my opinion. Instead, I would

[SC-L] SearchSecurity: Cyber Security and the Law

2012-08-02 Thread Gary McGraw
hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the

Re: [SC-L] SearchSecurity: Cyber Security and the Law

2012-08-02 Thread Gary McGraw
, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act

[SC-L] Silver Bullet 76: David Evans

2012-07-30 Thread Gary McGraw
hi sc-l, The 76th episode of Silver Bullet features a chat with Dave Evans, a professor at UVa and a well-respected security researcher. David and I discuss (among other things) the founding of the Interdisciplinary Major in Computer Science (BA) at Uva and why a broad approach to Computer

Re: [SC-L] Silver Bullet 76: David Evans

2012-07-30 Thread Gary McGraw
Oops! forgot to include the URL. Here it is: http://www.cigital.com/silver-bullet/show-076/ gem From: gem g...@cigital.commailto:g...@cigital.com Date: Friday, July 27, 2012 2:27 PM To: Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Cc: David Evans

Re: [SC-L] SearchSecurity: Mobile Security = Software Security

2012-07-15 Thread Gary McGraw
/magazineContent/Gary-McGraw-on-mobil e-security-Its-all-about-mobile-software-security Your feedback is always welcome. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiaceleague book www.swsec.com ___ Secure Coding

[SC-L] SearchSecurity: Mobile Security = Software Security

2012-07-09 Thread Gary McGraw
to draw from for a pithy article on mobile security. Take home message? Build security in! Every software security Touchpoint is relevant and useful when it comes to mobile security. Have a read, and pass it on. Pile on the hits: http://searchsecurity.techtarget.com/magazineContent/Gary-McGraw

[SC-L] Flame provides an opportunity

2012-05-31 Thread Gary McGraw
badware addresses malware problem http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem (May 2012). Some of the Flame dustup in the press this week riffed on that idea and even mentioned the BSIMM (in the WSJ CIO Journal): http://blogs.wsj.com/cio

[SC-L] Silver Bullet 74: Bruce Schneier

2012-05-31 Thread Gary McGraw
hi sc-l, There are exactly two security gurus we have covered twice in Silver Bullet: Ross Anderson (who holds the all time record for hits) and Bruce Schneier. Both are very interesting thinkers and thought leaders in computer security. Episode 74 is the second Silver Bullet conversation

Re: [SC-L] SearchSecurity: Badware versus malware

2012-05-12 Thread Gary McGraw
The article does not suggest otherwise. gem On 5/11/12 1:51 PM, Ben Laurie b...@google.com wrote: On 8 May 2012 07:18, Gary McGraw g...@cigital.com wrote: hi sc-l, What¹s worse, bad software or malicious software? In fact, what¹s the difference? My second column for SearchSecurity is all

[SC-L] SearchSecurity: Badware versus malware

2012-05-08 Thread Gary McGraw
hi sc-l, What’s worse, bad software or malicious software? In fact, what’s the difference? My second column for SearchSecurity is all about that. Read it today. And pass it on. http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem Bottom

[SC-L] Silver Bullet 73: Robert Vamosi

2012-05-04 Thread Gary McGraw
hi sc-l, This morning we released episode 73 of Silver Bullet. The new show is an interview with Robert Vamosi. Robert is a well-known security reporter, having worked for a bunch of esteemed publications including Forbes, c!net, and threatpost. Robert also wrote a book called When Gadgets

[SC-L] SearchSecurity: Build it in, build it right

2012-04-10 Thread Gary McGraw
://searchsecurity.techtarget.com/contributor/Gary-McGraw The very first article itself just went up today. It is titled Gary McGraw on software security assurance: Build it in, build it right (can you tell the Techtarget people made up the title?): http://searchsecurity.techtarget.com/opinion/Gary-McGraw

Re: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers

2012-03-07 Thread Gary McGraw
Karen is right. That is a legacy of Watts Humphrey. gem From: Goertzel, Karen [USA] goertzel_ka...@bah.commailto:goertzel_ka...@bah.com Date: Wed, 7 Mar 2012 09:53:18 -0500 To: Martin Gilje Jaatun secse-ch...@sislab.nomailto:secse-ch...@sislab.no, Secure Code Mailing List

[SC-L] c!net article on the RSA hamster wheel

2012-03-03 Thread Gary McGraw
hi sc-l, There is still plenty of reactive security to be seen at RSA, but the amount of airplay that software security is getting is going up, and the presentations on building security in are getting better. Elinor Mills just posted a nice summary article on c!net:

[SC-L] IEEE SP highlight

2012-02-21 Thread Gary McGraw
hi sc-l, Happy tenth birthday to IEEE Security Privacy magazine. IEEE Security Privacy plays an important role in the field at the critical intersection point between peer reviewed science and applied technology. If you don't subscribe yet, you should. See

[SC-L] Silver Bullet 70: Ross Anderson Reprise

2012-02-03 Thread Gary McGraw
hi sc-l, Ross Anderson's first Silver Bullet episode (episode 13) has consistently led the download totals since its release way back when. Over 25,000 people have listened to the episode and it remains very popular (either that or Ross is clicking on it an awful lot himself). In order to

[SC-L] informIT: vBSIMM revised

2012-01-26 Thread Gary McGraw
hi sc-l, Third party software is a major risk category in most modern organizations (see Third-Party Software and Securityhttp://www.informit.com/articles/article.aspx?p=1809143). We have been working on a BSIMM derivative called the vBSIMM to help manage third party software risk. Today we

[SC-L] informIT: BSIMM versus SAFECode

2011-12-31 Thread Gary McGraw
Lets try that again, this time with the proper email address… From: gem g...@cigital.commailto:g...@cigital.com Date: Tue, 27 Dec 2011 16:32:56 -0500 To: sc-l-boun...@securecoding.orgmailto:sc-l-boun...@securecoding.org sc-l-boun...@securecoding.orgmailto:sc-l-boun...@securecoding.org hi sc-l,

[SC-L] Silver Bullet 69: Steve Myers

2011-12-31 Thread Gary McGraw
happy new year sc-l, The 69th episode of Silver Bullet is an interview with professor Steve Myers from Indiana University. Steve is a cryptographer who works on Phishing, but he also teaches the security engineering course at IU. Among other topics, we discuss the challenge of keeping

[SC-L] informIT: third-party software and security

2011-11-30 Thread Gary McGraw
hi sc-l, We recently convened a BSIMM Community Conference near Portland, Oregon. (For a list of the 42 companies participating in the BSIMM project, see http://bsimm.com/community/.) The BSIMM project describes and measures the work of 786 SSG members, who together with a satellite of 1750

[SC-L] Silver Bullet 68

2011-11-30 Thread Gary McGraw
hi sc-l, I am pleased to announce that episode 68 of the Silver Bullet Security Podcast is an interview of Cigital's own John Steven. jOHN (or jS) as he is know around here is a well-respected technologist and software security practitioner. He served a stint editing the Building Security In

[SC-L] informIT: Software Security Training

2011-10-31 Thread Gary McGraw
hi sc-l, Happy Halloween everybody. Sammy Migues and I just published an article on Software Security Training in informIT based on a decade of experience delivering software security training: http://www.informit.com/articles/article.aspx?p=1767770 The article includes some analysis of both

[SC-L] silver bullet: bill pugh

2011-10-31 Thread Gary McGraw
hi sc-l, The 67th Silver Bullet podcast features Bill Pugh. Bill is an alpha geek who is currently a professor at University of Maryland. You may know his FindBugs project if you're a Java person. You may not know that Bill is also a fire eater who once lit my solstice bonfire in an

Re: [SC-L] BSIMM3 lives

2011-10-18 Thread Gary McGraw
hi steve and sc-l, Sorry for the delay in responding. I am just catching up after spending last week in Bloomington, Indiana. Some quick answers: 1) Was any analysis done to ensure that the 3 levels are consistent from a maturity perspective - for example, if an organization performed an

Re: [SC-L] BSIMM3 lives

2011-10-18 Thread Gary McGraw
software security right but big companies can. -Chris -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Steven M. Christey Sent: Saturday, October 15, 2011 5:45 PM To: Gary McGraw Cc: Secure Code Mailing List Subject: Re: [SC-L

[SC-L] BSIMM3 lives

2011-09-27 Thread Gary McGraw
hi sc-l, BSIMM3 was just posted. You can download it from http://bsimm.com Since the first BSIMM interview in October 2008, we’ve progressed from 9 to 30 to 42 firms (and more, at this point). We’ve also measured 11 firms twice—with about 19 months between measurements on average—providing

  1   2   3   4   >