[SC-L] Silver Bullet 122: David Nathans

2016-06-07 Thread Gary McGraw
Hi  sc-l,

The latest episode of Silver Bullet features a conversation with David Nathans 
from Siemens Healthcare.  David got his start in security ops, and even wrote a 
book about that.  But he completely understands why product security is 
essential in the modern world and has been moving things in the right direction 
when it comes to medical devices.  

Have a listen: http://bit.ly/SB-nathans  

As always, your feedback is welcome.

gem

http://garymcgraw.com 



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet celebrates a decade of shows: Gary McGraw

2016-04-01 Thread Gary McGraw
hi sc-l,

Hard to believe, but Silver Bullet has been running for ten years---120 months 
of shows in a row without missing a month.  To celebrate this accomplishment, 
we shot a video for episode 120 out by the Shenandoah river at my house.  And 
we turned the tables on the interview.  Marcus Ranum, inventor of the firewall, 
interviews me.  

We discuss: software security, internet of (crappy) things, the surveillance 
state, advisory board work, toothbrush dDoS, perl, and evolutionary biology.  
Have a look.  I hope you enjoy it.  

http://bit.ly/SB-gem 

Silver Bullet continues to be a blast to do.  Last time we ran stats last 
October, Silver Bullet had over 1.4 million listens with an episode averaging 
almost 14K listeners.

gem

https://www.garymcgraw.com/




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 119: Jacob West on the IEEE CSD Wearables report (design review)

2016-02-29 Thread Gary McGraw
hi sc-l,

It’s leap day and RSA week!

We just posted Silver Bullet episode 119 featuring BSIMM co-author and IEEE CSD 
co-founder Jacob West talking about the latest IEEE CSD report.   Architecture 
analysis lags behind other touchpoints when it comes to software security 
practices.  The CSD wearables report is intended to help get developers and 
architects more familiar with just what design analysis means:

http://bit.ly/SB-CSDwearable 

Your feedback on the podcast is welcome.

gem

I have a new website https://www.garymcgraw.com/ (TECH | LIFE | MUSIC)



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet: Jack Daniel

2016-02-01 Thread Gary McGraw
hi sc-l,

For the first Silver Bullet of 2016 I have a chat with Jack Daniel, co-founder 
of the Bsides Conferences.  We talk about security communities, the evolution 
of the field, car repair, complex systems, the waning security Rennaissance, 
and other matters.  We conclude with a quick pointer to various tiki 
experiences.

http://bit.ly/SB-jackdaniel

Have a listen.  Your feedback on the podcast is always welcome.

gem

company www.cigital.com
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 117: Jamie Butler

2015-12-26 Thread Gary McGraw
hi sc-l,

The current episode of the Silver Bullet Security Podcast features Jamie 
Butler, CTO of Endgame.  Jamie and I talk rootkits (he wrote the book with Greg 
Hoglund), attack patters, defense and offense.  Jamie has a long career in 
security (17 years) spanning early days at Fort Meade, through Mandiant, to 
Endgame.

Have a listen: http://bit.ly/SB-butler

And happy holidays from Silver Bullet!

gem

company www.cigital.com
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 116: Doug Maughan

2015-12-01 Thread Gary McGraw
hi sc-l,

Doug Maughan is one of the very good people who somehow works in the federal 
government at DHS (I know).  He has been funding reasonable science in computer 
security since his early DARPA days and even once funded some of our work at 
cigital.  We talk about science, research, tech transfer, the research valley 
of death, and why computer security is so badly broken in the federal 
government.

Have a listen: http://bit.ly/SB-maughan

As always, your comments are welcome.  Thanks for listening.  Pass it on!

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 115: mudge

2015-10-29 Thread Gary McGraw
hi sc-l,

Cigital just posted Silver Bullet 115 which features an interview with mudge 
(a.k.a., Peiter Zatko).

https://www.cigital.com/podcasts/show-115-peiter-mudge-zatko/

We talk l0pht, cult of the dead cow, early security days, testifying before 
Congress, why the government is so confused about security, DARPA, DoD, Google, 
and current doings.  Mudge is one of the original hackers from days gone by who 
took his hobby and turned it into a career. (I have known him since I was ten.)

Have a listen and pass it on.

gem

company www.cigital.com
writings www.cigital.com/gem/writings/
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] BSIMM6

2015-10-19 Thread Gary McGraw
hi sc-l,

Today Cigital published Release 6 of the Building Security In Maturity Model 
(BSIMM).  The BSIMM now represents eight years of bringing science to the 
software security.  We have directly measured over 104 companies across 
multiple industries (BSIMM6 covers 78 of them).  BSIMM6 also includes the 
addition of healthcare as a one of the well-represented verticals (10 firms or 
more).

Opinion is rife in computer security, and software security as well.  BSIMM6 
provides a set of facts to both counter and ground opinion in reality.  Want to 
know what the ratio of software security professionals to developers is?  The 
BSIMM knows.  BSIMM6 describes the work of 1,084 SSG members working with a 
satellite of 2,111 people to secure the software developed by 287,006 developers

The BSIMM is a free resource published under the creative commons.  Please use 
it in your own work.  You can download BSIMM6 from the new website 
http://bsimm.com

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com
twitter @cigitalgem


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Seven Myths of Software Security

2015-10-06 Thread Gary McGraw
hi sc-l,

You’ve heard these before I’m sure.  Working on expanding or improving your 
software security initiative?  Here are seven of the most common objections we 
see all the time (and what to say in response).

Please read this article: http://bit.ly/swsec-myths

Hopefully you will all find this useful in getting thinking back on track when 
it comes to software security.

As always, your feedback is welcome.  Let me know what you think!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 114: Peter "Pete" Clay

2015-09-30 Thread Gary McGraw
hi sc-l,

Episode 114 of Silver Bullet was just posted.  This episode features Peter 
“Pete” Clay who has served as a CISO in several firms (Deliotte, Invotas, Qlik) 
and has provided security direction both in the Federal government and the 
private sector.

Have a listen: http://bit.ly/SB-pete

As always, your feedback and your suggestions for future episodes greatly 
appreciated!

gem

company www.cigital.com
writings www.cigital.com/gem/writings/
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] The FTC and Software Security

2015-09-17 Thread Gary McGraw
hi sc-l,

I just posted some thoughts on the FTC and software security.

Have a look: http://bit.ly/gem-FTC

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Podcast: Threatpost covers software security

2015-09-12 Thread Gary McGraw
hi sc-l,

Yesterday I recorded an episode of Threatpost with Dennis Fisher.  We talk 
about many current topics, including how to scale software security.

Have a listen and pass it on:
https://threatpost.com/gary-mcgraw-on-scalable-software-security-and-medical-device-security/114640/

Topics covered include: BSIMM6, software security growth, the FTC and security, 
security in startups, medical device security, scaling software security, music

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] Silver Bullet 113: Chandu Ketkar

2015-09-08 Thread Gary McGraw
The URL was apparently scrambled below.  For the SB episode try: 
http://bit.ly/SB-chandu 

gem




On 8/31/15, 12:51 PM, "SC-L on behalf of Gary McGraw" 
<sc-l-boun...@securecoding.org on behalf of g...@cigital.com> wrote:

>hi sc-l,
>
>The new episode of Silver Bullet features a conversation with Chandu Ketkar. 
>Chandu has 20+ years of experience in software, starting as a developer and 
>working his way to a secure design proponent.  Have a listen:
>http://bit.ly/SB-chandu<https://www.cigital.com/podcasts/show-113-software-security-best-practices/>
>
>We discuss threat modelling, architectural analysis, healthcare security, 
>economics, and what developers think of security (not necessarily in that 
>order).  You can also find out what Chandu’s favorite Indian music is when you 
>listen.
>
>gem
>
>company www.cigital.com
>blog www.cigital.com/justiceleague
>book www.swsec.com
>
>___
>Secure Coding mailing list (SC-L) SC-L@securecoding.org
>List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
>List charter available at - http://www.securecoding.org/list/charter.php
>SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
>as a free, non-commercial service to the software security community.
>Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
>___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [External] Re: SearchSecurity: Dynamism

2015-09-08 Thread Gary McGraw
As far as I know, Microsoft integrated some reference monitoring into their OS 
family under Fred Schneider’s guidance.  They called it “inline reference 
monitoring” and I believe they still use it.

gem




On 9/8/15, 8:49 AM, "SC-L on behalf of Goertzel, Karen [USA]" 
 wrote:

>Yes, we seem to abandon security mechanisms that (1) we can actually trust, 
>and (2) that Microsoft and Google refuse to build.
>
>===
>Karen Mercedes Goertzel, CISSP, CSSLP
>Senior Lead Scientist
>Booz Allen Hamilton
>703.698.7454
>goertzel_ka...@bah.com
>
>"The hardest thing of all is to
>find a black cat in a dark room,
>especially if there is no cat."
>- Confucius
>
>
>
>From: Peter G. Neumann [neum...@csl.sri.com]
>Sent: 06 September 2015 15:24
>To: Goertzel, Karen [USA]
>Cc: Alfonso De Gregorio; Johan Peeters; Secure Code Mailing List
>Subject: Re: [SC-L] [External] Re: SearchSecurity: Dynamism
>
>Reference monitors were a lovely concept, largely invented for multilevel
>security kernels and trusted computing bases, but are almost nonexistent
>in that context.  Yes, they'd be lovely to have, but even the NSA folks
>seem to have abandoned them...
>
>___
>Secure Coding mailing list (SC-L) SC-L@securecoding.org
>List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
>List charter available at - http://www.securecoding.org/list/charter.php
>SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
>as a free, non-commercial service to the software security community.
>Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
>___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 113: Chandu Ketkar

2015-09-06 Thread Gary McGraw
hi sc-l,

The new episode of Silver Bullet features a conversation with Chandu Ketkar. 
Chandu has 20+ years of experience in software, starting as a developer and 
working his way to a secure design proponent.  Have a listen:
http://bit.ly/SB-chandu

We discuss threat modelling, architectural analysis, healthcare security, 
economics, and what developers think of security (not necessarily in that 
order).  You can also find out what Chandu’s favorite Indian music is when you 
listen.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Dynamism

2015-08-20 Thread Gary McGraw
hi sc-l,

What is the relationship between dynamic languages and dynamic methodologies?  
What is the impact on software security?

This article provides a gentle introduction: http://bit.ly/gem-dynamic

Feedback welcome.  Pass it on.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 112: Matthew Green and Steve Bellovin on Crypto Back Doors

2015-07-23 Thread Gary McGraw
hi sc-l,

For the latest episode of Silver Bullet, we spoke to two of the fifteen 
co-authors of the Keys Under Doormats paper describing the technical peril of 
implementing crypto back doors as FBI Director Comey has suggested.  Steve 
Bellovin comes at the problem with years of experience and direct involvement 
in the first crypto wars.  Matthew Green comes to the problem with a solid 
understanding of applied cryptography in real world systems.  Have a listen:

http://bit.ly/SB-crypto-wars

As always, your feedback on SilverBullet is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 111: Marcus Ranum

2015-07-07 Thread Gary McGraw
hi sc-l,

Silver Bullet episode 111 is a sneaky one based around a “dirty brilliant 
trick.  The episode features Marcus Ranum, inventor of the proxy firewall and 
all around security guru.  We talk about perimeter security, software security, 
security progress (or lack of such) and whether hackers are necessary for 
security.

http://bit.ly/sb111-mjr   (or for purists 
http://www.cigital.com/silver-bullet/show-111/)

So what was the trick?  At the end of the episode I revealed that during 
episode 3 (recorded exactly 9 years before episode 111), I asked Marcus exactly 
the same set of questions.  Wonder how consistent Marcus is over nine years?  
Compare and contrast http://www.cigital.com/silver-bullet/show-003/

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 110: Paul Dorey

2015-06-04 Thread Gary McGraw
hi sc-l,

Silver Bullet episode 110 features Paul Dorey.  Paul was one of the original 
CSOs of Europe, ultimately serving as the CSO of BP.  He and I are on an 
Advisory Board together, and most recently, Paul and I did a “fernside chat” at 
the BSIMM Europe Conference.  We talk about the CSO job, software security, and 
a few other things on this episode:

http://bit.ly/SB-dorey

As always, your feedback is welcome.  Please post, tweet, share, email, etc.  
Spread the #swsec meme.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] RSA Antidote: Bart Preneel on Silver Bullet 109

2015-04-27 Thread Gary McGraw
hi sc-l,

Lots of us have RSA Conference goo leaking out of our ears by now.  Yerg.  
Here’s a quick antidote from a serious cryptographer.  Bart Preneel is a 
professor at KL Leuven University (founded in 1425).  He is an exceptional 
cryptographer and a huge supporter of software security in Europe.

http://bit.ly/SB-bart

As always, your feedback is welcome.  Two more days of RSA to go.  Please send 
reinforcements.

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] [searchsecurity] How to structure an SSG

2015-03-31 Thread Gary McGraw
hi sc-l,

During the last BSIMM Conference in Monterey, CA, Caroline Wong ran a 
workshop/session during which all 23 firms present shared their BSIMM 
structures with eachother.  The event was organized as a poster session. It was 
a great event.  Caroline and I took the data, crunched it, organized it, and 
wrote it up in an article that was just published by SearchSecurity.

http://bit.ly/gem-SSG

If you’re wondering how to structure a new SSG, or refactor an existing SSG, 
take a look at what we discovered.

As always, your feedback is welcome. Tweet to be about it @cigitalgem.

gem


company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 108: Katie Moussouris

2015-03-31 Thread Gary McGraw
hi sc-l,

Just in time for my Spring Break college tour with Eli, here is Silver Bullet 
episode 108, an interview with HackerOne’s Katie Moussouris.

Katie and I talk about bug bounties, early coding (sadly she was a C64 person 
instead of an Apple ][+ person), SDL, BlueHat, mentors, and more.  Have a listen
http://bit.ly/SB-katie

And as always, please pass it on through all media (twitter, facebook, 
linkedin, email, and good old fashioned word of mouth).

Your feedback is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] [article] When risk management goes bad

2015-02-24 Thread Gary McGraw
hi sc-l,

I wrote my latest SearchSecurity article based on conversations I have been 
having with a number of CSOs and security execs.  It’s about what happens when 
risk management goes bad.  The biggest failure condition seems to be “ignoring 
the lows” entirely.

Anyway, have a read and pass it on: http://bit.ly/risk-gn-bad

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [article] When risk management goes bad

2015-02-24 Thread Gary McGraw
hi christian,

Good point.

A combined risk score based on “SIL” levels is what I was using in my 
article.  The combination risk score takes into account both technology 
risk and business risk.  Using one component or the other alone is folly.

gem




On 2/24/15, 4:13 AM, Christian Heinrich christian.heinr...@cmlh.id.au 
wrote:

Gary,

On Sat, Feb 21, 2015 at 6:13 AM, Gary McGraw g...@cigital.com wrote:
 I wrote my latest SearchSecurity article based on conversations I have 
been having with a number of CSOs and
 security execs.  It’s about what happens when risk management goes bad. 
 The biggest failure condition seems
 to be “ignoring the lows” entirely.

High technology risks, such as chained exploits, are low business
risks in the context of ISO 31000 et al.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] The Web Platform podcast talks security

2015-02-04 Thread Gary McGraw
hi sc-l,

An entire gaggle of devs and architects interviews me about software security.  
have a listen.  Pass it on 
http://thewebplatform.libsyn.com/28-securing-your-web-applications

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Superbowl Silver Bullet Security Podcast 106: Steve Katz

2015-02-03 Thread Gary McGraw
hi sc-l,

What’s better than the Superbowl?  Silver Bullet of course!  Hah.  Have a 
listen to episode 106 featuring Steve Katz, widely revered as the world’s first 
CISO.  Steve has served as CISO of citibank/citigroup, JP Morgan, Merril Lynch, 
and Kaiser Permanente.  (We serve on one Advisory Board together.)

http://www.cigital.com/silver-bullet/show-106/

Steve and I discuss security, business, risk management, software security, and 
more.

As always, your feedback and discussion of the episode are welcome.  (Please 
tweet about the episode if you would.)  And happy Superbowl weekend!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet: Whitfield Diffie

2015-01-01 Thread Gary McGraw
hi sc-l,

Merry New Year to you all!!

Episode 105 of Silver Bullet is an interview with Whitfield Diffie.  Whit 
co-invented PKI among other things.  We have an in depth talk about crypto, 
computation, LISP, AI, quantum key distro, and more

http://bit.ly/SB-diffie

As always, your feedback on Silver Bullet is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet: Brian Krebs

2014-10-31 Thread Gary McGraw
hi sc-l,

Silver Bullet episode 103 features Brian Krebs, whose website
http://krebsonsecurity.com is among the leading security reporting sites on
the planet.  Brian was once a reporter for the Washington Post, but he went
solo after being let go (too deep for the dinosaur).  Krebs broke a number
of important stories in 2014, including the Target and Home Depot breaches
(among others). 

In our conversation, we discuss old media vs new media, Russian crime
syndicates, poltical strategy and cyber security, and why the government is
so far behind in software security.

http://www.cigital.com/silver-bullet/show-103/

As always, your feedback on Silver Bullet is welcome (try tweeting to
@cigitalgem).  Thanks for listening.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com 
twitter @cigitalgem





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 102: Richard Danzig

2014-09-21 Thread Gary McGraw
hi sc-l,

The 102nd monthly episode of the Silver Bullet podcast features a conversation 
with Richard Danzig.  Richard is a very accomplished leader who served as 
Secretary of the Navy (among other powerful positions).  He is currenty a 
member of the Board of the Center for a New American Security.  Richard is 
attempting in his recent work to bridge the gap between technologists and 
Washington policy makers when it comes to cybersecurity.

http://www.cigital.com/silver-bullet/show-102/

Our wide ranging conversation focuses mostly on a recent report Richard 
authored titled “Surviving on a Diet of Poisoned Fruit: Reducing the National 
Security Risks of America’s Cyber Dependencies” 
http://www.cnas.org/surviving-diet-poisoned-fruit which I encourage you all 
to read.  At the end of our conversation we discuss when technologists like 
ourselves can do to improve computer security policy in Washington.

As always, your feedback on the podcast is welcome.

In other news, I hope to see some of you at Appsecusa in Denver this week.  I 
am giving Friday morning’s keynote.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] IEEE Center for Secure Design [searchsecurity and silver bullet]

2014-08-27 Thread Gary McGraw
hi sc-l,

This evening in SF we are officially launching the IEEE Center for Seure Design 
with a small event including security people and press.  Jim DelGrosso and I 
will make a short presentation about the CSD during the launch.

 I devoted both of my monthly pieces (Silver Bullet and SearchSecurity) to the 
CSD this month.

Please check out this article and pass it on:
http://bit.ly/CSD-SS  
http://searchsecurity.techtarget.com/opinion/McGraw-on-the-IEEE-Center-for-Secure-Design

Also have a listen to the new Silver Bullet podcast featuring Del, Christoph 
Kern from Google, and Yoshi Kohno from University of Washington where we all 
discuss the CSD:
http://www.cigital.com/silver-bullet/show-101/

Finally, note that the IEEE CSD website and an associated work called “Avoiding 
the Top Ten Software Security Flaws” will be live soon:
http://cybersecurity.ieee.org/center-for-secure-design.html

Make sure to read the CSD document.  It’s good stuff.  Discussion welcome!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Medical Devices and Software Security

2014-07-03 Thread Gary McGraw
hi sc-l,

Chandu Ketkar and I wrote an article about medical device security based on a 
talk Chandu gave at Kevin Fu’s Archimedes conference in Ann Arbor.  In the 
article, we discuss six categories of security defects that Cigital discovers 
again and again when analyzing medical devices for our customers.  Have a look 
and pass it on:

http://bit.ly/1pPH56p

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 99: Michael Hicks

2014-07-03 Thread Gary McGraw
hi sc-l,

Silver Bullet Security Podcast number 99 (99 months in a row!!) was just 
posted.  This episode features a programming languages smorgasbord with Michael 
Hicks, professor of CS and security at University of Maryland.  We talk type 
safety, closure, why C is bad, what makes dynamic languages like Javascript 
problematic, and so on.  If you like programming languages talk, you’ll dig 
this episode.

Have a listen: https://www.cigital.com/silver-bullet/show-099/

As always, your feedback on the podcast is welcome.  We’re shooting a video for 
episode 100!!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 98: Bart MIller

2014-06-05 Thread Gary McGraw
hi sc-l,

Bart Miller, computer science professor from Wisconsin, coined the term fuzz 
testing in 1990.  He also is the PI for the DHS SWAMP---a software assurance 
marketplace of sorts.  Bart knows a ton abiut software analysis.

In episode 98 of Silver Bullet, we geek out about software security, hearbleed, 
fuzz testing. fault injection, and instrumenting binary code as it runs.  Have 
a listen: http://www.cigital.com/silver-bullet/show-098/

Your feedback is welcome.  Pass it on!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 97 + SearchSecurity Heartbleed

2014-05-06 Thread Gary McGraw
hi sc-l,

Heartbleed?   Who cares?  We do.  Real lessons here  http://bit.ly/1lBKDsE

Silver Bullet 97.  Programming languages actually matter.  
http://www.cigital.com/silver-bullet/show-097/

Read. Listen. Share. React.

We want your feedback.

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [External] Firewalls, Fairy Dust, and Forensics

2014-04-04 Thread Gary McGraw
hi karen,

Good point, and one that I usually make!  I agree.

gem

On 4/1/14, 9:16 AM, Goertzel, Karen [USA] goertzel_ka...@bah.com wrote:

The one point that's missing from the article is to remind people: What
the heck do you think firewalls are made of? Software! So unless a
software manufacturer has got software security religion, their product
is just as likely to be broken inside than the things it allegedly
protects. 

===
Karen Mercedes Goertzel, CISSP
Lead Associate
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com

I love humans. Always seeing patterns in things that aren't there.
- The Doctor


From: SC-L [sc-l-boun...@securecoding.org] on behalf of Gary McGraw
[g...@cigital.com]
Sent: 31 March 2014 18:40
To: Secure Code Mailing List
Subject: [External]  [SC-L] Firewalls, Fairy Dust, and Forensics

hi sc-l,

Ever get discouraged that we have not been making enough progress in
software security?  Well, we have been making plenty of progress and our
field is growing fast!   This peppy little article (co-authored with
Sammy Migues) explains why firewalls, fairy dust, and forensics are not
working out for computer security.

Oh, and software security is growing at 20% CAGR and now accounts for 10%
of the computer security market (which is itself growing at 8.9%).  We
are in the right field, and the this mailing list is a major help.

Please read this: 
http://searchsecurity.techtarget.com/opinion/McGraw-Firewalls-fairy-dust-a
nd-forensics-Try-software-security  Then have your SSG members read it.
You do have an SSG, right?

Feel free to post links to twitter, facebook, linkedin, and send it
around (by pointer).  I would really appreciate that.

Thanks!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 96: Nate Fick, CEO of Endgame (and combat veteran)

2014-04-04 Thread Gary McGraw
hi sc-l,

Nate Fick is an interesting man.  He has a classics degree from Dartmouth, 
where he is now a Trustee.  He served combat tours in Afghanistan and Iraq, 
resulting in the book “One Bullet Away” and the HBO series “Generation Kill.”  
He served as the CEO of an important new think thank, the Center for New 
American Security.  While he was at CNAS, we wrote this: 
http://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf  And then he 
transitioned to become CEO or Endgame.  When he did that, I was worried, since 
Endgame was performing services that did not help security at all.  He has 
turned Endgame around completely.

We talk about that, about “cyber war” versus real war, policy people in 
Washington, security hype, and running a startup in the security space.  Have a 
listen, and pass it on: http://www.cigital.com/silver-bullet/show-096/

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Firewalls, Fairy Dust, and Forensics

2014-04-01 Thread Gary McGraw
hi sc-l,

Ever get discouraged that we have not been making enough progress in software 
security?  Well, we have been making plenty of progress and our field is 
growing fast!   This peppy little article (co-authored with Sammy Migues) 
explains why firewalls, fairy dust, and forensics are not working out for 
computer security.

Oh, and software security is growing at 20% CAGR and now accounts for 10% of 
the computer security market (which is itself growing at 8.9%).  We are in the 
right field, and the this mailing list is a major help.

Please read this: 
http://searchsecurity.techtarget.com/opinion/McGraw-Firewalls-fairy-dust-and-forensics-Try-software-security
  Then have your SSG members read it.  You do have an SSG, right?

Feel free to post links to twitter, facebook, linkedin, and send it around (by 
pointer).  I would really appreciate that.

Thanks!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] IEEE Computer article

2014-03-26 Thread Gary McGraw
hi sc-l,

I was asked to write an article for IEEE Computer’s security column this month. 
 It’s about software security.

Security Fatigue? Shift Your 
Paradigmhttp://www.cigital.com/presentations/mco2014030081.pdf, (IEEE 
Computer Society, March 2014)

As always, your feedback is welcome.  You can find many of my writings here: 
http://www.cigital.com/~gem/writings/

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Paul dot com podcast on #swsec at 6pm EST

2014-03-20 Thread Gary McGraw
hi sc-l,

Tonight at 6pm EST I will be participating in a paul dot com webcast and 
talking all things software security.  Please tune in if you can, and spread 
the word!

http://securityweekly.com/watch

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 95: Charlie Miller

2014-02-28 Thread Gary McGraw
hi sc-l,

Greetings from RSA, where the show gets underway today.  I hope to see some 
sc-l readers out here.  (Come see us duing the show 
https://www.cigital.com/blog/2014/01/rsa-2014/.)

Episode 95 of silver bullet features a conversation with Charie Miller, who now 
works at Twitter as a security engineer.  Charlie is well known for his 
spectacular Apple hacks.  Lately, he has turned his attention to cars.  We talk 
about fuzzing, exploit development, and their relationship to software security.

http://www.cigital.com/silver-bullet/show-095/

Have a listen and pass it on.  As always, your feedback is welcome

gem

company www.cigital.com
podcast www.cigital.com/silver-bullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 94: Ming Chow (Tufts)

2014-02-03 Thread Gary McGraw
hi sc-l,

Episode 94 (in a row) of Silver Bullet features a conversation with Ming Chow, 
a developer who got interested in security and accidentally became a software 
security guy teaching at Tufts.  We talk about that.  We talk about exploiting 
online games (and using that as a teaching mechanism).  And mostly we wonder 
how to get real developers more interested in software security.  Have a listen:

http://www.cigital.com/silver-bullet/show-094/

As always, your feedback is welcome.

gem

company http://www.cigital.com
blog http://www.cigital.com/justiceleague
book http://www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Scaling Automated Code Review

2014-01-29 Thread Gary McGraw
hi sc-l,

The latest monthy SearchSecurity article was co-authored with Jim Routh, CSO of 
Aetna.  What Jim is doing for his fifth (!!) software security initiative is 
very interesting.  So interesting that we decided to write about it.

In particular pay attention to Jim's use of a light weight IDE-based static 
analysis tool.  This is important for two reasons: 1) because it runs on all 
dev desktops (and thus scales) and 2) because it finds problems in real time as 
they are being typed in. FIXING security problems found in this way is easier 
than it is in the situation when results arrive a week after they are typed in 
when dev on a new sprint.

Scaling Automated Code Review: http://bit.ly/1iIcAPB

 here is a long URL version 
http://searchsecurity.techtarget.com/opinion/McGraw-Software-insecurity-and-scaling-automated-code-review

As always, your feedback is welcome.  Pass it on!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Scaling Architectural Risk Analysis

2013-12-26 Thread Gary McGraw
hi sc-l,

Following on the heels of our SearchSecurity article on Architectural Risk 
Analysis (probably the most difficult touchpoint in software security), Jim 
DelGrosso and I write about  how to scale ARA.

http://bit.ly/19Jmk7f  (or 
http://searchsecurity.techtarget.com/opinion/McGraw-Software-insecurity-and-scaling-architecture-risk-analysis)

Merry new year to you all.   We welcome your feedback.

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 93: Yoshi Kohno

2013-12-26 Thread Gary McGraw
hi sc-l,

When it rains, it pours.  Just in time for xmas eve, here is Silver Bullet 
episode 93.   The podcast features a discussion with Yoshi Kohno (a cigital 
alum) who is now a computer science professor at University of Washington.

You've probably heard of Yoshi's car hacking stuff (or maybe even seen it on 
Nova).  Yoshi has one of the best vulnerability finding minds in the business.

http://www.cigital.com/silver-bullet/show-093/

Pass it on!  And merry new year.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] BSIMM-V Article in Application Development Times

2013-12-17 Thread Gary McGraw
hi sc-l,

From time to time we talk about getting to the dev community here.  This 
article is at least in the right publication!

Read it and pass it on: 
http://adtmag.com/blogs/watersworks/2013/12/bsimm-v-released.aspx

Salubrious solstice!  One week and one day to go.

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 92: Jon Callas

2013-11-27 Thread Gary McGraw
hi sc-l,

Just in time for turkey-induced coma listening time, Silver Bullet episode 92 
features Jon Callas.  Jon is an old school geek (on the net since 1979) who has 
occupied a front row seat during all of the crypto wars.  His company Silent 
Circle is actively trying to build a real secure email solution that even the 
NSA can't break.  We had a very interesting chat.  We even talked directly 
about Snowden.  I hope you like it:

http://www.cigital.com/silver-bullet/show-092/

As always, your feedback on the podcast is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 91: Caroline Wong

2013-10-30 Thread Gary McGraw
hi sc-l,

Episode 91 of Silver Bullet features a conversation with Cigital's Caroline 
Wong.  We talk a lot about BSIMM (behind the scenes) as part of the BSIMM-V 
launch.  BSIMM-V will be officially released at 9am EST 10.30.13!

As an experienced practitioner (Symantec, eBay, Zynga), Caroline brings a 
management perspective to the BSIMM project, directly focused on metrics and 
measurement.  (Nothing like real data.)  We also discuss bug bounty programs, 
Software Security Initiative (SSI) in a box (leveraging measurement of 
course), and issues facing women in computer science.

Have a listen: 
http://www.cigital.com/silver-bullet/show-091http://www.cigital.com/silver-bullet/show-091/

And stay tuned for more about BSIMM-V!

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] BSIMM-V is alive

2013-10-30 Thread Gary McGraw
hi sc-l,

I am proud to announce that the BSIMM-V document is complete and the website 
has been entirey revised/updated.  Please download a copy of BSIMM-V today: 
http://bsimm.com

BSIMM-V describes the software security initiatives at sixty-seven firms, 
including: Adobe, Aetna, Bank of America, Box, Capital One, Comerica Bank, EMC, 
Epsilon, F-Secure, Fannie Mae, Fidelity, Goldman Sachs, HSBC, Intel, Intuit, 
JPMorgan Chase  Co., Lender Processing Services Inc., Marks and Spencer, 
Mashery, McAfee, McKesson, Microsoft, NetSuite, Neustar, Nokia, Nokia Siemens 
Networks, PayPal, Pearson Learning Technologies, QUALCOMM, Rackspace, 
Salesforce, Sallie Mae, SAP, Sony Mobile, Standard Life, SWIFT, Symantec, 
Telecom Italia, Thomson Reuters, TomTom, Vanguard, Visa, VMware, Wells Fargo, 
and Zynga. All told, the BSIMM describes the work of 975 SSG members working 
with a satellite of 1,953 people to secure the software developed by 272,358 
developers.

Software security measurement.

gem


If you are thinking about developing a software security program, or enhancing 
your existing one, the BSIMM will provide you a tried and true measurement and 
planning tool developed by some of the top security practitioners in the world. 
BSIMM-V is the continued evolution of this data driven set of real world 
software security practices, making it more relevant than ever. If you don’t 
think that a software security program or BSIMM is right for you, well… it’s 
only a matter of time!

Gary Warzala

CISO, Visa

Improving any engineering process requires a solid set of empirical metrics 
from which we can compare and contrast our own processes. Software security is 
no exception, and for far too long the community has been relying too heavily 
on anecdotal 'evidence.' Those excuses are no longer valid. Nowhere else will 
you find a more solid set of real world observations than in the BSIMM study. 
I'm happy to see with the release of BSIMM-V that the model has continued to 
grow and improve since its inception.
Kenneth R. van Wyk
KRvW Associates, LLC

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 90: Matthew Green

2013-10-05 Thread Gary McGraw
hi sc-l,

On one of the best Silver Bullet security podcasts in many a moon, I interview 
Matthew Green, research professor at Johns Hopkins university.  Remember that 
university professor whose NSA-related posting was given a takedown notice?  
That was Matthew.  Find out what he thought of all that:

http://www.cigital.com/silver-bullet/show-090/

We also discuss, the difference between theoretical crypto and applied crypto, 
why software securty is so dang hard, ARA, and breakfast cereal.

Have a listen and pass it on.  As always, your feedback is welome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Atlanta event OCT 1st

2013-09-25 Thread Gary McGraw
hi sc-l,

As part of gearing up our Atlanta office, Cigital is co-sponsoring an event 
with TAG (technology association of georgia) on Tuesday October 1st.  The event 
will feature a fireside chat with Marcus Ranum and me about software and 
software security.  Why is software still so bad, and what are we doing about 
it? is the official abstract.

The event is open to TAG members and others in the Atlanta area.  If you're 
interested or if you know people in Atlanta who might like to come, please pass 
along this URL : http://bit.ly/1b5qhp4

Hope to see some sc-l readers in Atlanta.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] HP Protect keynote

2013-09-19 Thread Gary McGraw
hi sc-l,

HP just put up a video of the keynote I delivered yesterday at HP Protect.   
Here it is!

http://www.cigital.com/justice-league-blog/2013/09/17/zombies-just-what-dr-mcgraw-ordered/

gem

p.s. Who knows Dinis in a can??

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] SearchSecurity: Architecture Risk Analysis

2013-09-19 Thread Gary McGraw
hi marinus,

Sorry for the (spam filter related) delay!

Two of the steps that we define in the ARA article address your idea directly.  
Step1: known-attack analysis certainly leverages knowledge about components, 
packages, and design patterns (associated with known attacks) and stuff you 
inherit.  And, step3: dependency analysis is almost entirely focused on what 
you suggest.

Have a read: http://bit.ly/1b2f5Zk

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

From: Marinus van Aswegen mvanaswe...@gmail.commailto:mvanaswe...@gmail.com
Date: Monday, September 16, 2013 3:15 PM
To: Secure Code Mailing List 
SC-L@securecoding.orgmailto:SC-L@securecoding.org
Subject: [SC-L] SearchSecurity: Architecture Risk Analysis

Garry,

We have a step were we figure out how the various architecture intersect and 
synthesize together. After all you inherit more than you define and deliver.

Marinus

-

hi sc-l,

Software security in general spends a lot of time talking about bugs---too much 
time, I believe.  We all know that software defects come in two major 
subclasses: bugs (in the implementation) and flaws (in the design).  So, how do 
you find and FIX flaws?

That's what this month's SearchSecurity column is about.  This article about 
finding security flaws in software with Architecture Risk Analysis.  It is 
co-authored by Jim DelGrosso who is a Principal Consultant at Cigital and runs 
the Architecture practice.

We know this approach works, because we actually use it every day (and have 
done so for over a decade): http://bit.ly/1b2f5Zk   No, it's not easy, and yes 
it takes experience.  Oh well.

gem



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Architecture Risk Analysis

2013-09-15 Thread Gary McGraw
hi sc-l,

Software security in general spends a lot of time talking about bugs---too much 
time, I believe.  We all know that software defects come in two major 
subclasses: bugs (in the implementation) and flaws (in the design).  So, how do 
you find and FIX flaws?

That's what this month's SearchSecurity column is about.  This article about 
finding security flaws in software with Architecture Risk Analysis.  It is 
co-authored by Jim DelGrosso who is a Principal Consultant at Cigital and runs 
the Architecture practice.

We know this approach works, because we actually use it every day (and have 
done so for over a decade): http://bit.ly/1b2f5Zk   No, it's not easy, and yes 
it takes experience.  Oh well.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

p.s. Long link for Mr Wall: 
http://searchsecurity.techtarget.com/opinion/Opinion-Software-insecurity-software-flaws-in-application-architecture

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] HP Protect Keynote (next week 9.17.13)

2013-09-15 Thread Gary McGraw
hi sc-l,

This year's keynote talk at HP Protect will be all about software security.  
How do I know?  Well, I'm giving the talk.  You can register here if you want 
to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/

The Discover Performance magazine featured an article about software security 
as one part of the run up to the HP Protect Conference.  You can read that 
here: 
http://bit.ly/153CFDBhttp://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html

It's great news for the field that we're being asked to talk about software 
security at a major conference as the keynote.  I hope to see some of you there.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

p.s. Long URL for Kevin 
http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] HP Protect Keynote (next week 9.17.13)

2013-09-15 Thread Gary McGraw
hi dinis,

I will be covering the basics for sure.  I agree with all of your points below.

The trickiest one you bring up is security labels which though it may be a good 
idea is a political swamp.

I am up for an HP Protect band, but I am pretty sure such an idea has never 
crossed the corporate HP mind!

See you in DC.

gem

From: Dinis Cruz dinis.c...@owasp.orgmailto:dinis.c...@owasp.org
Date: Sunday, September 15, 2013 5:54 AM
To: gem g...@cigital.commailto:g...@cigital.com
Cc: Casey Callaway ccalla...@cigital.commailto:ccalla...@cigital.com, 
Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org
Subject: Re: [SC-L] HP Protect Keynote (next week 9.17.13)


I'll be there and am looking forward to seeing it

Can you cover the need to: a) 'talk' to developers using UnitTests, b) stop 
giving developers PDFs/badometers , c) create security Labels for APIs/Apps and 
d) use open source tools like the O2 Platform (and ThreadFix) to integrate+glue 
the application security knowledge created by tools and humans :)

For the record I'm gutted that HP can't organise an 'Conference Band' like the  
'Owasp band' so that we can do our yearly rendition of the 'SQL Injection 
Blues' :)

Dinis

On 15 Sep 2013 09:39, Gary McGraw g...@cigital.commailto:g...@cigital.com 
wrote:
hi sc-l,

This year's keynote talk at HP Protect will be all about software security.  
How do I know?  Well, I'm giving the talk.  You can register here if you want 
to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/

The Discover Performance magazine featured an article about software security 
as one part of the run up to the HP Protect Conference.  You can read that 
here: 
http://bit.ly/153CFDBhttp://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html

It's great news for the field that we're being asked to talk about software 
security at a major conference as the keynote.  I hope to see some of you there.

gem

company www.cigital.comhttp://www.cigital.com
podcast www.cigital.com/silverbullethttp://www.cigital.com/silverbullet
blog www.cigital.com/justiceleaguehttp://www.cigital.com/justiceleague
book www.swsec.comhttp://www.swsec.com
twitter @cigitalgem

p.s. Long URL for Kevin 
http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html



___
Secure Coding mailing list (SC-L) 
SC-L@securecoding.orgmailto:SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 89: Mike Reiter

2013-09-04 Thread Gary McGraw
hi sc-l,

Silver Bullet episode 89 was posted yesterday.  It features a conversation with 
Professor Mike Reiter from UNC.  Mike's work is well known in distributed 
systems and networking.  He has done a bit of work in software security.  Have 
a listen:
http://www.cigital.com/silver-bullet/show-089/

And as always, your feedback is welcome

I'm off to Germany for SecSE and ARES (with plenty of software security 
coverge).

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: 5 Tech Trends and Software Security

2013-08-11 Thread Gary McGraw
hi sc-l,

SearchSecurity just posted my August article about the intersection of software 
security and 5 major tech trends.  It is enhanced with BSIMM data to spice it 
up.  Have a read http://bit.ly/137efaX (and pass it on!).  Here is a (big ass) 
URL for Kevin: 
http://searchsecurity.techtarget.com/opinion/Five-major-technology-trends-affecting-software-security-assurance

As always, your feedback is welcome.  I'm pleased that our field is getting 
such good exposure on Tech Target.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleage
book www.swsec.com
twitter @noplasticshower

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 88: Christian Collberg

2013-08-01 Thread Gary McGraw
hi sc-l,

Christian Collberg has been among the best academicians in software protection 
for over a decade.  His book Surreptitious Software which is really about 
obfuscation, watermarking and digital content protection is part of my Software 
Security Series http://buildingsecurityin.com.  Christian is also an artist 
and a world traveller with a very interesting global perspective.

Have a listen to the 88th consecutive Silver Bullet Security Podcast featuring 
Christian Collberg: http://www.cigital.com/silver-bullet/show-088/

As always, your feedback is welcome (including suggestions for new Silver 
Bullet victims).

gem

company www.cigital.com
blog ww.cigital.com/justiceleague
book www.swsec.com
twitter @noplasticshower



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 87: James Walden

2013-07-01 Thread Gary McGraw
hi sc-l,

Last month, Cigital consultant Joe Harless suggested that I interview his NKU 
professor James Walden.  It was a good idea.  Thanks Joe.  I have known James 
for years.  He uses Software Security in some of his classes and he thinks 
about software security all day.

Trained as a particle physicist, James is one of the leaders in academic 
software security.  We talk about all sorts of things, top ten lists, breaking 
versus fixing, bugs and flaws.  James teaches a Secure Software Engineering 
course that is right up our ally here at sc-l.

Have a listen: http://www.cigital.com/silver-bullet/show-087/

And if you have a suggestion for a Silver Bullet episode, let me know!

gem

company www.cigital.com
justiceleague www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] TechTarget: Proactive Security in Financial Services

2013-06-10 Thread Gary McGraw
hi sc-l,

The Financial Services sector is an important advocate for real software 
security.  At FS-ISAC this Spring in Florida, I moderated a panel about that 
(including JP Morgan Chase, Capital One and Fidelity).  The panel resulted in a 
writeup posted today (and published in Information Security Magazine).

 http://bit.ly/163miTX

(kevin longlink 
http://searchsecurity.techtarget.com/opinion/McGraw-Financial-services-develop-a-proactive-posture?utm_medium=EMasrc=EM_ERU_22003825utm_campaign=20130610_ERU%20Transmission%20for%2006/10/2013%20(UserUniverse:%20608797)_myka-repo...@techtarget.comutm_source=ERUsrc=5135013)

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleage
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 86: Wenyuan Xu

2013-05-31 Thread Gary McGraw
hi sc-l,

Ever wonder what it is like to be a Chinese scholar living and teaching in the 
US or a woman teaching computer science and engineering?  We talk about that in 
the 86th episode of the Silver Bullet Security Podcast featuring University of 
South Carolina professor Wenyuan Xu: bit.ly/14e8h29 http://t.co/A1aymA09tw

We also discuss embedded device security (cars, electricity billing systems, 
medical devices), software security, and the distinctly American phenomenon of 
tailgating.

Have a listen.  As always your feedback is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleage
book www.swsec.com
twitter @noplasticshower

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 85:Mobile Security with Jim Routh and Scott Matsumoto

2013-05-03 Thread Gary McGraw
hi sc-l,

Is mobile security a brand new day or the same old same old?  The answer 
depends on how you look at the problem.  If you are a practitioner in the 
trenches, there are many new and interesting shiny bits to mobile security.  If 
you are a security veteran, things look very familiar.  In this episode of 
Silver Bullet, Jim Routh, Scott Matsumoto and I take on the Necker Cube of 
mobile security.  Jim Routh is the ultimate security practitioner (until 
recently the global head of software security at JPMC and now a major CSO).  
Scott Matsumoto, Cigital Principal and head of mobile security, is a software 
veteran with years of experience.  I do what I can to guide the conversation 
with an eye on both the distant past and the quickly approaching future.

Have a listen and pass it on: http://www.cigital.com/silver-bullet/show-085/

As always, your feedback is both welcome and encouraged.  What do YOU think?  
Same old same old or brand new day?

gem

company www.cigital.com
blog www.cigital.com/justiceleague (see especially 
https://www.cigital.com/justice-league-blog/2013/04/30/mobile-different-or-same-sht-different-day/)
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] BSIMM talk at RSA

2013-02-28 Thread Gary McGraw
hi sc-l,

Please come hear my talk Bug Parades, Zombies and the BSIMM: A Decade of 
Software Security today at the RSA Conference.  The talk is at 10:40am in room 
132.  I'll be making some of the BSIMM Update data from the RSA BSIMM Mixer 
public.  63 firms and counting.

gem


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Software Security on MSNBC Sunday morning TV (9:20am)

2013-02-24 Thread Gary McGraw

hi sc-l,

I am slated to be a guest on MSNBC's  Up With Chris Hayes tomorrow morning 
(Sunday 2.24)  9:20-10:00am.  They wanted to fly me to NY for the show, but the 
plan now is to do this from the DC studios.  We'll be talking about Cyber War.

About the show: 
http://www.nytimes.com/2012/06/24/fashion/chris-hayes-has-arrived-with-up.html?_r=0

You can bet I will harp on software security!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] Software Security on MSNBC Sunday morning TV (9:20am)

2013-02-24 Thread Gary McGraw
hi sc-l,

It's still early on Sunday, but here is a pointer to the episode: 
http://nbcnews.to/YqeokE

gem

From: gem g...@cigital.commailto:g...@cigital.com
Date: Saturday, February 23, 2013 4:21 PM
To: Secure Code Mailing List 
SC-L@securecoding.orgmailto:SC-L@securecoding.org
Subject: Software Security on MSNBC Sunday morning TV (9:20am)


hi sc-l,

I am slated to be a guest on MSNBC's  Up With Chris Hayes tomorrow morning 
(Sunday 2.24)  9:20-10:00am.  They wanted to fly me to NY for the show, but the 
plan now is to do this from the DC studios.  We'll be talking about Cyber War.

About the show: 
http://www.nytimes.com/2012/06/24/fashion/chris-hayes-has-arrived-with-up.html?_r=0

You can bet I will harp on software security!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] See you next week at RSA 2013

2013-02-22 Thread Gary McGraw
hi sc-l,

I know many sc-l readers will be headed out to San Francisco next week for the 
usual week of chaos surrounding RSA.  Should be a blast as always.

This year I am involved in two public appearances at the RSA conference, both 
of which will discuss software security explicitly.  The first is a CSO Panel 
featuring Gary Warzala (Visa), Jason Witty (US Bank), Eric Grosse (Google), and 
Howard Schmidt (retired US Gov).  One of the six key questions we will address 
during the panel is what a CSO can and should do about software security, 
security engineering and building things properly.  That panel is Wednesday 
2.27 at 1pm.

The second appearance is even more relevant to software security.  I will give 
my Bug Parades, Zombies, and the BSIMM talk Thursday 2.28 at 10:40am.  I plan 
to discuss the ancient history of software security and accelerate to now.

I hope you will come see what we've got cooking!  If you do come to the talks, 
make sure to come say hello.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Chinese Hacking, Mandiant and Cyber War

2013-02-20 Thread Gary McGraw
hi sc-l,

No doubt all of you have seen the NY Times article about the Mandiant report 
that pervades the news this week.  I believe it is important to understand the 
difference between cyber espionage and cyber war.  Because espionage unfolds 
over months or years in realtime, we can triangulate the origin of an 
exfiltration attack with some certainty.  During the fog of a real cyber war 
attack, which is more likely to happen in milliseconds,  the kind of forensic 
work that Mandiant did would not be possible.  (In fact, we might just well be 
Gandalfed and pin the attack on the wrong enemy as explained here: 
http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.)

Sadly, policymakers seem to think we have completely solved the attribution 
problem.  We have not.  This article published in Computerworld does an 
adequate job of stating my position: 
http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9

Those of us who work on security engineering and software security can help 
educate policymakers and others so that we don't end up pursuing the folly of 
active defense.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Active Defense is Irresponsible

2013-02-13 Thread Gary McGraw
hi sc-l,

This morning, NPR did a story 
http://www.npr.org/2013/02/13/171843046/victims-of-cyberattacks-now-going-on-offense-against-intruders
 about the idea of Active Defense which basically boils down to attacking the 
people who (may have) attacked you.  (Key question: who is it that REALLY 
attacked you and how do you know that?)  At Cigital, we believe this is a 
recipe for disaster.  The last thing we need in computer security is a bunch of 
vigilante yoo-hoos and lynch mobs.  Rule of law anyone?

I talked all about this in my SearchSecurity column in November: Proactive 
defense prudent alternative to 
cyberwarfarehttp://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare
 (November 1, 2012)

In fact, I have been a vocal opponent to the Cyber War drum beating that seems 
to pervade Washington.  Here's what I had to say to Threatpost about the issue 
(warning: poor sound quality): 
http://threatpost.com/en_us/blogs/gary-mcgraw-cyberwar-and-folly-hoarding-cyber-rocks-111312

I have also been voicing these thoughts at think tanks like CNAS and in 
academic venues.  Here are three pointers to recent talks: 
http://www.ists.dartmouth.edu/events/abstract-mcgraw.html
http://www.kcl.ac.uk/sspp/departments/warstudies/newsevents/eventsrecords/mcgraw.aspx
http://www.eecs.umich.edu/eecs/etc/events/showevent.cgi?2626

FWIW, I am going to be on a panel about this at a private event during RSA with 
the founders of CrowdStrike on the opposing side.   Should be interesting.  
Given their dunderheaded philosophy, maybe I should bring a security detail 
along.

If you feel as strongly as we do about this issue, please send this to your 
Representatives.  They need to read it:
Separating the Threat from the Hype: What Washington Needs to Know About Cyber 
Securityhttp://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf in 
AMERICA'S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES 
I AND 
IIhttp://www.cnas.rsvp1.com/node/6405?mgh=http%3A%2F%2Fwww.cnas.orgmgf=1, 
Center for a New Amercian Security (June 2011).

What's the alternative to throwing rocks?  Making sure our houses are not glass 
by building security in.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] SearchSecurity: 13 Design Principles for 2013

2013-01-17 Thread Gary McGraw
Excellent idea Gunnar!  This is the kind of conceptual comparison that we don't 
do enough of.

gem

From: Gunnar Peterson gun...@arctecgroup.netmailto:gun...@arctecgroup.net
Reply-To: Gunnar Peterson 
gun...@arctecgroup.netmailto:gun...@arctecgroup.net
Date: Thursday, January 17, 2013 6:39 PM
To: gem g...@cigital.commailto:g...@cigital.com, Secure Code Mailing List 
SC-L@securecoding.orgmailto:SC-L@securecoding.org
Cc: epar...@techtarget.commailto:epar...@techtarget.com 
epar...@techtarget.commailto:epar...@techtarget.com
Subject: RE: [SC-L] SearchSecurity: 13 Design Principles for 2013

Good piece. Saltzer and Schroeder's work is the deus ex machina in so much of 
security. On the software side, esp in the case of Twitter, Facebook et al, the 
equivalent is David Gelernter.

I did a mashup of these titans and I must say I think there is a fair(and 
increasing) amount of impedance mismatch. Meaning many of S S's fundamental 
assumptions do not apply in Gelernter's universe. For example how do I 
completely mediate in a federation? Answer: you dont you have partial control 
at best.

http://1raindrop.typepad.com/1_raindrop/2008/06/mashup-of-the-titans.html

Gunnar


Sent from my mobile



 Original message 
From: Gary McGraw g...@cigital.commailto:g...@cigital.com
Date:
To: Secure Code Mailing List 
SC-L@securecoding.orgmailto:SC-L@securecoding.org
Cc: Parizo, Eric epar...@techtarget.commailto:epar...@techtarget.com
Subject: [SC-L] SearchSecurity: 13 Design Principles for 2013


hi sc-l,

Merry new year to you all.

About the hardest part of software security is design.  Everything about it is 
hard: secure design, threat modeling, architectural risk analysis, etc.  Even 
convincing slow pokes that there is a difference between bugs and flaws is hard 
(you should see the reviews my talk got from the expert RSA program 
committee this year…hah!).  For many years I have struggled with how to teach 
people ARA and security design.  The only technique that really works is 
apprenticeship.  Short of that, a deep understanding of security design 
principles can help.

in 1975 Salzer and Schroeder wrote one of the most important papers in computer 
security.  In it, they introduced the concept of security principles.  I riffed 
on that this month in my SearchSecurity column.  Please read it and pass it on. 
 Give a copy to all of the software architects you know.

http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


___
Secure Coding mailing list (SC-L) 
SC-L@securecoding.orgmailto:SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Twelve Most Common BSIMM Activities

2012-12-09 Thread Gary McGraw
hi sc-l,

Greetings from NOLA where I am sailing this weekend.

Ever wonder what the twelve most common software security activities are?  
Because of the BSIMM data, we actually know.  Have a look for yourself:
http://searchsecurity.techtarget.com/news/2240174114/Twelve-common-software-security-activities-to-lift-your-program

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.cigital.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] BSIMM4 Released Today

2012-09-27 Thread Gary McGraw
hi sc-l,

Once every blue moon, software security makes it into the major press.  BSIMM4 
did it today.

http://blogs.wsj.com/cio/2012/09/26/bank-cyberattacks-underscore-need-for-security-processes/

I think it's great when the major players get past the train wreck mentality 
that seems to pervade security coverage.

gem

p.s. This Dennis Fisher podcast is worth a listen too:
https://threatpost.com/en_us/blogs/gary-mcgraw-bsimm4-and-how-avoid-being-slowest-zebra-092612

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

From: gem g...@cigital.commailto:g...@cigital.com
Date: Tuesday, September 18, 2012 9:56 AM
To: Secure Code Mailing List 
SC-L@securecoding.orgmailto:SC-L@securecoding.org
Cc: Sammy Migues smig...@cigital.commailto:smig...@cigital.com, Jacob West 
j...@hp.commailto:j...@hp.com
Subject: BSIMM4 Released Today

hi sc-l,

Today we released BSIMM4, the fourth edition of the BSIMM model built directly 
from data observed in 51 firms.  If you ever wonder what software assurance 
looks like in commercial practice (and how to measure it), the BSIMM sheds 
plenty of light on current practice.

Download a copy today (for free under the Creative Commons) at 
http://bsimm.comhttp://bsimm.com/

BSIMM4 provides insight into fifty-one of the most successful software security 
initiatives in the world and describes how these initiatives evolve, change, 
and improve over time. The multi-year study is based on in-depth measurement of 
leading enterprises including Adobe, Aon, Bank of America, Box, Capital One, 
The Depository Trust  Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae, 
Fidelity, Google, Intel, Intuit, JPMorgan Chase  Co., Mashery, McKesson, 
Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, 
Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec, 
Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and Zynga.

Some numerical highlights of BSIMM4:
• BSIMM4 includes 51 firms from 12 industry verticals
• BSIMM4 has grown 20% since BSIMM3 and is ten times bigger than the original 
2009 edition
• The BSIMM4 data set has 95 distinct measurements (some firms measured 
multiple times, some firms with multiple divisions measured separately and 
rolled into one firm score)
• BSIMM4 continues to show that leading firms on average employ two full time 
software security specialists for every 100 developers
• BSIMM4 describes the work of 974 software security professionals working with 
a development-based satellite of 2039 people to secure the software developed 
by 218,286 developers

Of particular interest to readers of sc-l, for the first time in the BSIMM 
project, new activities were observed in addition to the original 109, 
resulting in the addition of two new activities to the model going forward. The 
activities are: Simulate software crisis and Automate malicious code detection.

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] BSIMM4 Released Today

2012-09-18 Thread Gary McGraw
hi sc-l,

Today we released BSIMM4, the fourth edition of the BSIMM model built directly 
from data observed in 51 firms.  If you ever wonder what software assurance 
looks like in commercial practice (and how to measure it), the BSIMM sheds 
plenty of light on current practice.

Download a copy today (for free under the Creative Commons) at 
http://bsimm.comhttp://bsimm.com/

BSIMM4 provides insight into fifty-one of the most successful software security 
initiatives in the world and describes how these initiatives evolve, change, 
and improve over time. The multi-year study is based on in-depth measurement of 
leading enterprises including Adobe, Aon, Bank of America, Box, Capital One, 
The Depository Trust  Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae, 
Fidelity, Google, Intel, Intuit, JPMorgan Chase  Co., Mashery, McKesson, 
Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, 
Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec, 
Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and Zynga.

Some numerical highlights of BSIMM4:
• BSIMM4 includes 51 firms from 12 industry verticals
• BSIMM4 has grown 20% since BSIMM3 and is ten times bigger than the original 
2009 edition
• The BSIMM4 data set has 95 distinct measurements (some firms measured 
multiple times, some firms with multiple divisions measured separately and 
rolled into one firm score)
• BSIMM4 continues to show that leading firms on average employ two full time 
software security specialists for every 100 developers
• BSIMM4 describes the work of 974 software security professionals working with 
a development-based satellite of 2039 people to secure the software developed 
by 218,286 developers

Of particular interest to readers of sc-l, for the first time in the BSIMM 
project, new activities were observed in addition to the original 109, 
resulting in the addition of two new activities to the model going forward. The 
activities are: Simulate software crisis and Automate malicious code detection.

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 77: Gary Warzala of Visa

2012-08-28 Thread Gary McGraw
hi sc-l,

Greetings from Buenos Aires where I am pushing the software security agenda in 
South America this week in a series of four talks.

Silver Bullet's 77th episode features Gary Warzala, CISO of Visa.  Our 
discussion mirrors some of what we talked about during our fireside chat in 
Bloomington, Indiana when we opened the new Cigital office there in May.  Ever 
wonder what a CISO does all day or what they think about?  Tune in and find out.

http://www.cigital.com/silver-bullet/show-077/

For the purposes of this list, Visa is serious about software security, which 
we discuss during the podcast.

As always, your feedback is welcome.  Thanks as always to Ryan MacMichael for 
his behind the scenes work on Silver Bullet.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] SearchSecurity: Cyber Security and the Law

2012-08-08 Thread Gary McGraw
hi greg,

Good question.  I'm biased of course, but I think a BSIMM type measurement
is the best way to approach this.  (See http://bsimm.com.)  However,
regardless of measurement I strongly believe that incentives are way
better than regulations and penalties.

Because the Senate bill was blocked yesterday by a Republican filibuster
http://www.nytimes.com/2012/08/03/us/politics/cybersecurity-bill-blocked-b
y-gop-filibuster.html we may have a chance to revisit some of these ideas
next session!

On the BSIMM front, we now have 51 firms measured and will be compiling
BSIMM4 next week for release in the Fall.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

On 8/2/12 3:13 PM, Greg Beeley greg.bee...@lightsys.org wrote:

How would we recognize good engineering?

It seems to me like the very same problem faced by the idea of software
liability law - that it is hard to define good engineering for software
security - would be faced by an incentive program.  If good
engineering is fuzzy enough to give a big corporate legal dept the
upper hand against an individual, wouldn't it be similarly fuzzy enough
to counter the fairness of a tax incentive?

Tax breaks are a big deal - I doubt the government is going to want to
issue tax breaks to a company because the company claims they have
achieved level X in a CMM -- think about the economic cost in
demonstrating something like that to the point where it is fair and
worth something.  I also doubt that a metric based on vulnerability
counts will work -- that will just encourage companies to hide
vulnerabilities, fixing them silently and/or with great delay, instead
of disclosing them.

Not that I think that incentives inherently wouldn't work -- rather I'd
be interested in seeing some discussion here on some of the above issues.

One alternative that has worked well in many other areas of
manufacturing -- encourage some kind of limited warranty, at least in
certain industries.  For consumer mobile devices, it might be something
as simple as, if your device's security is ever compromised due to a
flaw in the bundled device software, we'll repair it free of charge.
The big challenges are 1) getting customers to care about their device's
security, and 2) making a vendor's commitment to security recognizable
by the customer.  By no means ideal, but at least a talking point.

- Greg

Gary McGraw wrote, On 08/02/2012 08:40 AM:
 Hi Jeff,
 
 I'm afraid I disagree.  The hyperbolic way to state this is, imagine
YOUR
 lawyer faced down by Microsoft's army of lawyers. You lose.
 
 Software liability is not the way to go in my opinion.  Instead, I would
 like to see the government develop incentives for good engineering.
 
 gem
 
 On 8/2/12 10:26 AM, Jeffrey Walton noloa...@gmail.com wrote:
 
 Hi Dr. McGraw,

 Cyber Intelligence Sharing and Protection Act (CISPA) passed by
 there House in April) has very little to say about building security
in.
 I'm convinced (in the US) that users/consumers need a comprehensive
 set of software liability laws. Consider the number of mobile devices
 that are vulnerable because OEMs stopped providing (or never provided)
 patches for vulnerabilities. The equation [risk analysis] needs to be
 unbalanced just a bit to get manufacturers to act (do nothing is cost
 effective at the moment).

 Jeff

 On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote:
 hi sc-l,

 This month's [in]security article takes on Cyber Law as its topic.
The
 US Congress has been debating a cyber security bill this session and
is
 close to passing something.  Sadly, the Cybersecurity and Internet
 Freedom Act currently being considered in the Senate (as an answer to
 the problematic  Cyber Intelligence Sharing and Protection Act (CISPA)
 passed by there House in April) has very little to say about building
 security in.

 Though cyber law has always lagged technical reality by several years,
 ignoring the notion of building security in is a fundamental flaw.


 
http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-
bu
 g-fixes-reward-secure-systems

 Please read this month's article and pass it on far and wide.  Send a
 copy to your representatives in all branches of government.  It is
high
 time for the government to tune in to cyber security properly.

 
 
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___
 
___
Secure Coding mailing list (SC-L) SC-L

[SC-L] SearchSecurity: Cyber Security and the Law

2012-08-02 Thread Gary McGraw
hi sc-l,

This month's [in]security article takes on Cyber Law as its topic.  The US 
Congress has been debating a cyber security bill this session and is close to 
passing something.  Sadly, the Cybersecurity and Internet Freedom Act currently 
being considered in the Senate (as an answer to the problematic  Cyber 
Intelligence Sharing and Protection Act (CISPA) passed by there House in April) 
has very little to say about building security in.

Though cyber law has always lagged technical reality by several years, ignoring 
the notion of building security in is a fundamental flaw.

http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems

Please read this month's article and pass it on far and wide.  Send a copy to 
your representatives in all branches of government.  It is high time for the 
government to tune in to cyber security properly.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] SearchSecurity: Cyber Security and the Law

2012-08-02 Thread Gary McGraw
Hi Jeff,

I'm afraid I disagree.  The hyperbolic way to state this is, imagine YOUR
lawyer faced down by Microsoft's army of lawyers. You lose.

Software liability is not the way to go in my opinion.  Instead, I would
like to see the government develop incentives for good engineering.

gem

On 8/2/12 10:26 AM, Jeffrey Walton noloa...@gmail.com wrote:

Hi Dr. McGraw,

 Cyber Intelligence Sharing and Protection Act (CISPA) passed by
 there House in April) has very little to say about building security in.
I'm convinced (in the US) that users/consumers need a comprehensive
set of software liability laws. Consider the number of mobile devices
that are vulnerable because OEMs stopped providing (or never provided)
patches for vulnerabilities. The equation [risk analysis] needs to be
unbalanced just a bit to get manufacturers to act (do nothing is cost
effective at the moment).

Jeff

On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote:
 hi sc-l,

 This month's [in]security article takes on Cyber Law as its topic.  The
US Congress has been debating a cyber security bill this session and is
close to passing something.  Sadly, the Cybersecurity and Internet
Freedom Act currently being considered in the Senate (as an answer to
the problematic  Cyber Intelligence Sharing and Protection Act (CISPA)
passed by there House in April) has very little to say about building
security in.

 Though cyber law has always lagged technical reality by several years,
ignoring the notion of building security in is a fundamental flaw.

 
http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bu
g-fixes-reward-secure-systems

 Please read this month's article and pass it on far and wide.  Send a
copy to your representatives in all branches of government.  It is high
time for the government to tune in to cyber security properly.



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 76: David Evans

2012-07-30 Thread Gary McGraw
hi sc-l,

The 76th episode of Silver Bullet features a chat with Dave Evans, a professor 
at UVa and a well-respected security researcher.  David and I discuss (among 
other things) the founding of the Interdisciplinary Major in Computer Science 
(BA) at Uva and why a broad approach to Computer Science and Computer Security 
is a good idea, why data privacy gets short shrift in the United States, why 
people think (for no apparent reason) that their mobile devices are
secure, groceries, David's research on Secure Computation, and the Udacity 
project.  We close out the discussion with a story about David's trip to the
World Cup in Korea and a choice between GEB and scheme.

As always your feedback on the podcast is welcome.  I'm also actively seeking 
female interviewees for the podcast, so if you have any suggestions for future 
interviews, do tell!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] Silver Bullet 76: David Evans

2012-07-30 Thread Gary McGraw
Oops!  forgot to include the URL.  Here it is:

http://www.cigital.com/silver-bullet/show-076/

gem

From: gem g...@cigital.commailto:g...@cigital.com
Date: Friday, July 27, 2012 2:27 PM
To: Secure Code Mailing List 
SC-L@securecoding.orgmailto:SC-L@securecoding.org
Cc: David Evans ev...@cs.virginia.edumailto:ev...@cs.virginia.edu
Subject: Silver Bullet 76: David Evans

hi sc-l,

The 76th episode of Silver Bullet features a chat with Dave Evans, a professor 
at UVa and a well-respected security researcher.  David and I discuss (among 
other things) the founding of the Interdisciplinary Major in Computer Science 
(BA) at Uva and why a broad approach to Computer Science and Computer Security 
is a good idea, why data privacy gets short shrift in the United States, why 
people think (for no apparent reason) that their mobile devices are
secure, groceries, David's research on Secure Computation, and the Udacity 
project.  We close out the discussion with a story about David's trip to the
World Cup in Korea and a choice between GEB and scheme.

As always your feedback on the podcast is welcome.  I'm also actively seeking 
female interviewees for the podcast, so if you have any suggestions for future 
interviews, do tell!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] SearchSecurity: Mobile Security = Software Security

2012-07-15 Thread Gary McGraw
hi martin,

Great to see you in Athens this week.  Sorry about the registration thing.
 As an author, I get very little say in the matter.  I hope you registered
as Mickey Mouse or Bill Gates.

gem

On 7/15/12 2:50 PM, Martin Gilje Jaatun secse-ch...@sislab.no wrote:

Hi Gary,

I agree with everything you write in the article (although I was a bit
peeved at having to register to read it...). It ties nicely in with a
related topic that is being discussed a lot recently: The danger of QR
codes, where people argue that you shouldn't scan QR codes with your
smartphone, since you don't know where they take you, and you might get
infected with something (as allegedly carried out by Th3 J35t3r a few
months back). Again, this is discussing the wrong problem - why are we
accepting to use smartphone browsers that fall over at the merest whiff
of an attack?

-Martin

On 07/06/2012 02:29 PM, Gary McGraw wrote:
 hi sc-l,

 In April, my monthly [in]security column moved over to SearchSecurity
(TechTarget).  This month's installation appears in Information Security
magazine as well as on the usual websites.

 Because of all of the great work Cigital has done in mobile security,
there was plenty of fodder to draw from for a pithy article on mobile
security.  Take home message?  Build security in!  Every software
security Touchpoint is relevant and useful when it comes to mobile
security.

 Have a read, and pass it on.  Pile on the hits:
 
http://searchsecurity.techtarget.com/magazineContent/Gary-McGraw-on-mobil
e-security-Its-all-about-mobile-software-security

 Your feedback is always welcome.

 gem

 company www.cigital.com
 podcast www.cigital.com/silverbullet
 blog www.cigital.com/justiaceleague
 book www.swsec.com

 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Mobile Security = Software Security

2012-07-09 Thread Gary McGraw
hi sc-l,

In April, my monthly [in]security column moved over to SearchSecurity 
(TechTarget).  This month's installation appears in Information Security 
magazine as well as on the usual websites.

Because of all of the great work Cigital has done in mobile security, there was 
plenty of fodder to draw from for a pithy article on mobile security.  Take 
home message?  Build security in!  Every software security Touchpoint is 
relevant and useful when it comes to mobile security.

Have a read, and pass it on.  Pile on the hits:
http://searchsecurity.techtarget.com/magazineContent/Gary-McGraw-on-mobile-security-Its-all-about-mobile-software-security

Your feedback is always welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiaceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Flame provides an opportunity

2012-05-31 Thread Gary McGraw
hi sc-l,

Whenever a computer security disaster story breaks (pretty much the only kind 
of coverage cyber security can expect in the major press) we have an 
opportunity (while people are paying attention) to talk about how to avoid 
future disasters.  If we're lucky, we can leverage the NASCAR effect 
http://www.darkreading.com/security/application-security/208803559/if-you-build-it-they-ll-crash-it.html
 to discuss software security.

In my view, the only way we can get in front of modern malware is by building 
security in.  I wrote about that for SearchSecurity in May: Eliminating badware 
addresses malware problem 
http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem
 (May 2012).

Some of the Flame dustup in the press this week riffed on that idea and even 
mentioned the BSIMM (in the WSJ CIO Journal):
http://blogs.wsj.com/cio/2012/05/29/cios-should-see-flame-as-a-call-to-arms/?KEYWORDS=hickins

Also check out a related radio segment from Marketplace (aired on NPR):
http://www.marketplace.org/topics/tech/flame-malware-burns-through-cyberspace

It actually works to use the NASCAR effect to get our message out!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 74: Bruce Schneier

2012-05-31 Thread Gary McGraw
hi sc-l,

There are exactly two security gurus we have covered twice in Silver Bullet: 
Ross Anderson (who holds the all time record for hits) and Bruce Schneier.  
Both are very interesting thinkers and thought leaders in computer security.

Episode 74 is the second Silver Bullet conversation with Bruce.  We talked 
mostly about his new book Liars and Outliers, but the conversation ranged 
widely from economics to mixology.  I think you'll enjoy it:

http://www.cigital.com/silver-bullet/show-074/

As always, your feedback is welcome and encouraged.   Please pass this episode 
on to your friends and colleagues.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] SearchSecurity: Badware versus malware

2012-05-12 Thread Gary McGraw
The article does not suggest otherwise.

gem

On 5/11/12 1:51 PM, Ben Laurie b...@google.com wrote:

On 8 May 2012 07:18, Gary McGraw g...@cigital.com wrote:
 hi sc-l,

 What¹s worse, bad software or malicious software?  In fact, what¹s the
difference?

 My second column for SearchSecurity is all about that.  Read it today.
And pass it on.
 
http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badw
are-addresses-malware-problem

 Bottom line: Talking about malware may be more fun and entertaining
than talking about endless security bugs, but if we¹re going to combat
malware we have to start with the badware vector.

Fixing badware universally would plug one hole - and it's certainly a
hole worth plugging. But it won't eliminate malware - it seems it is
not hard to persuade users to install it for you, for example.


 gem

 company www.cigital.com
 podcast www.cigital.com/silverbullet
 blog www.cigital.com/justiceleague
 book www.swsec.com

 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Badware versus malware

2012-05-08 Thread Gary McGraw
hi sc-l,

What’s worse, bad software or malicious software?  In fact, what’s the 
difference?

My second column for SearchSecurity is all about that.  Read it today.  And 
pass it on.
http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem

Bottom line: Talking about malware may be more fun and entertaining than 
talking about endless security bugs, but if we’re going to combat malware we 
have to start with the badware vector.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 73: Robert Vamosi

2012-05-04 Thread Gary McGraw
hi sc-l,

This morning we released episode 73 of Silver Bullet.  The new show is an 
interview with Robert Vamosi.  Robert is a well-known security reporter, having 
worked for a bunch of esteemed publications including Forbes, c!net, and 
threatpost.  Robert also wrote a book called When Gadgets Betray Us which 
many of you will find interesting.  Have a listen:
http://www.cigital.com/silver-bullet/show-073/

As always, thanks to  IEEE Security  Privacy magazine for co-sponsoring Silver 
Bullet.  Special shouts out to Ryan MacMichael (our sound engineer) and 
congrats on the birth of child #2!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Build it in, build it right

2012-04-10 Thread Gary McGraw
hi sc-l,

The [in]security column that I have been writing monthly since October 2004 has 
a new home.  It is now published by SearchSecurity and will appear in 
Information Security magazine and on SearchSecurity.

The landing page for the columns on SearchSecurity will be here:
http://searchsecurity.techtarget.com/contributor/Gary-McGraw

The very first article itself just went up today.  It is titled Gary McGraw on 
software security assurance: Build it in, build it right (can you tell the 
Techtarget people made up the title?):
http://searchsecurity.techtarget.com/opinion/Gary-McGraw-on-software-security-assurance-Build-it-in-build-it-right'

I need your help with the column.  As with all web content these days, hits 
matter.  So please click on the articles and read them.  Then get one or two 
people that you know to read them.  Then write a clickbot to hit them 
automatically day and night.  Then spread them virally throughout the universe. 
 If we want software security to continue to matter, it is up to us to keep 
people interested.

You can always find pointers to the complete [In]security series on my writing 
page http://www.cigital.com/~gem/writings/. Your feedback on the column 
through the justice league blog http://www.cigital.com/justice-league-blog/ 
is greatly appreciated.

Thanks for your help making the new column work.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers

2012-03-07 Thread Gary McGraw
Karen is right.  That is a legacy of Watts Humphrey.

gem

From: Goertzel, Karen [USA] 
goertzel_ka...@bah.commailto:goertzel_ka...@bah.com
Date: Wed, 7 Mar 2012 09:53:18 -0500
To: Martin Gilje Jaatun secse-ch...@sislab.nomailto:secse-ch...@sislab.no, 
Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org
Subject: Re: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers

Unfortunately, it seems like the SWEBOK folks still believe that if you have 
high-quality software, that will be sufficient to assure robustness against 
intentional threats. It also shows a touching lack of faith that there will 
never be an malicious participant in the SDLC intentionally sabotaging or 
subverting the code, test results, etc.

===
Karen Mercedes Goertzel, CISSP
Lead Associate
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.commailto:goertzel_ka...@bah.com

I love deadlines. I like the whooshing sound they make as they fly by.
- Douglas Adams

From: sc-l-boun...@securecoding.orgmailto:sc-l-boun...@securecoding.org 
[sc-l-boun...@securecoding.orgmailto:sc-l-boun...@securecoding.org] on behalf 
of Martin Gilje Jaatun [secse-ch...@sislab.nomailto:secse-ch...@sislab.no]
Sent: 05 March 2012 07:02
To: Secure Coding
Subject: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers

Hi SC-L,

I would have hoped that Software Security should have been a topic area in 
SWEBOK, right alongside Software Quality, but it doesn't look like it...

-Martin

 Opprinnelig melding 
Emne:   [SEWORLD] SWEBOK Version 3 Call for Reviewers
Dato:   Fri, 2 Mar 2012 10:53:26 -0700
Fra:Dick Fairley dickfair...@gmail.commailto:dickfair...@gmail.com
Til:sewo...@sigsoft.orgmailto:sewo...@sigsoft.org



*Call for Reviewers of Three New Knowledge Area Descriptions for the*

*Guide to the Software Engineering Body of Knowledge*

The IEEE Computer Society is now soliciting public review comments on 
threeknowledge areas (KAs) for Version 3 of the Guide to the Software
Engineering Body of Knowledge (SWEBOK V3).  SWEBOK V3 is an update to the
2004 version of the SWEBOK Guide, which is also known as Technical Report
ISO/IEC TR 19759.  The 15 KAs in SWEBOK V3 are being published
incrementally as they become available for review.

The purposes of the SWEBOK Guide are: to characterize the contents of the
software engineering discipline; to promote a consistent view of software
engineering worldwide; to clarify the place of, and set the boundary of
software engineering with respect to other disciplines; to provide a
foundation for training materials and curriculum development; and to
provide a basis for certification and licensing of software engineers.

Three new KAs are now available for review (Software Engineering Methods
and Models; Software Maintenance; and Mathematical Foundations). These KAs
can be reviewed and comments can be submitted at:

computer.centraldesktop.com/swebokv3review/

The review period for these KAs extends from March 2 to March 31, 2012.

Three of the SWEBOK V3 KAs (Computing Foundations, Software Construction,
and Software Configuration Management) have been reviewed and the review
period is closed; the KA editors are resolving the public review
comments.  Resolution
of submitted comments for all KAs will be displayed on the SWEBOK V3 Web
site as they become available.  All review comments, as well the names and
countries of the reviewers providing the comments, will be made public.  Email
addresses, affiliations, and other identifying information of reviewers
will not be made public.

Present and potential reviewers will be notified when additional KAs 
becomeavailable for review.  Each KA, when posted, will be available for review
for 30 calendar days from the date of posting.

 For further information or help please contact Dick Fairley, chair of the
SWEBOK V3 Change Control Board at 
d.fair...@computer.orgmailto:d.fair...@computer.org.


To contribute to SEWORLD, send your submission to
mailto:seworld@sigsoft.orghttp://www.sigsoft.org/seworld provides more
information on SEWORLD as well as a complete archive of
messages posted to the list.




___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] c!net article on the RSA hamster wheel

2012-03-03 Thread Gary McGraw
hi sc-l,

There is still plenty of reactive security to be seen at RSA, but the amount of 
airplay that software security is getting is going up, and the presentations on 
building security in are getting better.

Elinor Mills just posted a nice summary article on c!net:
http://news.cnet.com/8301-27080_3-57389046-245/why-the-security-industry-never-actually-makes-us-secure/?tag=mncol;txt

If you think this kind of story is important to our field (like I do), pass it 
on…and post a comment.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] IEEE SP highlight

2012-02-21 Thread Gary McGraw
hi sc-l,

Happy tenth birthday to IEEE Security  Privacy magazine. IEEE Security  
Privacy plays an important role in the field at the critical intersection point 
between peer reviewed science and applied technology.   If you don't subscribe 
yet, you should.

See 
http://www.cigital.com/justice-league-blog/2012/02/21/ieee-security-privacy-magazine-tenth-anniversary-edition-loaded-with-cigital/

See many of you at RSA.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com





___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 70: Ross Anderson Reprise

2012-02-03 Thread Gary McGraw
hi sc-l,

Ross Anderson's first Silver Bullet episode (episode 13) has consistently led 
the download totals since its release way back when.  Over 25,000 people have 
listened to the episode and it remains very popular (either that or Ross is 
clicking on it an awful lot himself).  In order to compete with Ross's record, 
we brought in a heavy hitter, Ross Anderson for episode 70.  So, can Ross 
surpass Ross?  Only time will tell.

Episode 70 is a superb conversation.  I am always impressed and delighted with 
Ross's thoughtful responses to difficult questions.  We talked about:
the latest developments in Trusted Computing,
the iterated Prisoner's Dilemma as an economic model and its relevance to 
computer security,
information compartmentalization and Wikileaks,
time and security,
cyberwar versus cybercrime, and
Stuxnet.

http://www.cigital.com/silver-bullet/show-070/

If you're on this list and you have no idea who Ross is, go immediately and 
order Security Engineering which is hands down the best computer security 
book ever written.

Hope you enjoy our first ever Silver Bullet repeat.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] informIT: vBSIMM revised

2012-01-26 Thread Gary McGraw
hi sc-l,

Third party software is a major risk category in most modern organizations (see 
Third-Party Software and 
Securityhttp://www.informit.com/articles/article.aspx?p=1809143).  We have 
been working on a BSIMM derivative called the vBSIMM to help manage third party 
software risk.  Today we published a second, revised version  of the vBSIMM.  
Instead of focusing on an individual applications, the vBSIMM approach focuses 
on software security initiative measurement.

After trying vBSIMM out at a major Wall Street bank as a pilot and then 
discussing the results of that study during the second BSIMM Conference last 
Fall, we have completely revised the vBSIMM model.  Read about the changes here:

vBSIMM Take Two (BSIMM for Vendors 
Revised)http://www.informit.com/articles/article.aspx?p=1832574 (January 26, 
2012)

The vBSIMM is now graduating from pilot to full fledged use at the bank where 
we first rolled it out.  We welcome others to make us of it as well.  For more 
on the relation between the vBSIMM and the real BSIMM, see 
http://bsimm.com/vbsimm/.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] informIT: BSIMM versus SAFECode

2011-12-31 Thread Gary McGraw
Lets try that again, this time with the proper email address…

From: gem g...@cigital.commailto:g...@cigital.com
Date: Tue, 27 Dec 2011 16:32:56 -0500
To: sc-l-boun...@securecoding.orgmailto:sc-l-boun...@securecoding.org 
sc-l-boun...@securecoding.orgmailto:sc-l-boun...@securecoding.org

hi sc-l,

How about a little software security controversy for the tweener holiday week?

On the last day of the BSIMM Conference in November, SAFECode unveiled a paper 
about the SAFECode Practices and their relationship to the BSIMM.   Sammy and I 
don't think the SAFECode guys got everything right in their work.  In fact, 
they misconstrue the BSIMM as a software security methodology (which it is not) 
focused on compliance (which it definitely is not), so we wrote an article in 
response:

BSIMM versis SAFECode and Other Kaiju Cinema 
http://www.informit.com/articles/article.aspx?p=1824250 (12/26/11)

Hope you enjoy it between parties!  Happy New Year to you all and special 
shouts out to Ken for running this list!  Thanks Ken.

Now back to your regularly scheduled holiday.

gem

P.S. The entire collection of informIT columns written over the last five years 
can be found here:  http://www.cigital.com/~gem/writings/


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 69: Steve Myers

2011-12-31 Thread Gary McGraw
happy new year sc-l,

The 69th episode of Silver Bullet is an interview with professor Steve Myers 
from Indiana University.  Steve is a cryptographer who works on Phishing, but 
he also teaches the security engineering course at IU.  Among other topics, we 
discuss the challenge of keeping academic research both scientific and relevant 
to practitioners.

http://www.cigital.com/silver-bullet/show-069/

As always, we welcome your feedback on the show and suggestions for who to 
interview in the new year.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] informIT: third-party software and security

2011-11-30 Thread Gary McGraw
hi sc-l,

We recently convened a BSIMM Community Conference near Portland, Oregon.  (For 
a list of the 42 companies participating in the BSIMM project, see 
http://bsimm.com/community/.)  The BSIMM project describes and measures the 
work of 786 SSG members, who together with a satellite of 1750 people, have 
direct impact on the work of 185,316 developers.

As you know, the BSIMM is mostly about SSDL activities and governance.  
However, third-party software plays a major role in all of the BSIMM firms and 
is an important risk factor that must be managed.  In addition to talks from 
member firms, the BSIMM Community Conference also featured a workshop on 
third-party software and security.

Sammy, Brian, and I wrote up the results in an informIT article that was posted 
today:
http://www.informit.com/articles/article.aspx?p=1809143

The interesting aspect of our workshop was that it was made up approximately of 
50% software vendors and 50% financial services firms.  This made for a very 
interesting conversation around vendor control.

As always, we welcome your feedback and thoughts about our findings.

gem




___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 68

2011-11-30 Thread Gary McGraw
hi sc-l,

I am pleased to announce that episode 68 of the Silver Bullet Security Podcast 
is an interview of Cigital's own John Steven.  jOHN (or jS) as he is know 
around here is a well-respected technologist and software security 
practitioner.  He served a stint editing the Building Security In column for 
IEEE SP magazine along with Gunnar Peterson.  He is also a very active OWASP 
participant.  I have worked closely with jS for many years and greatly value 
his insight and leadership in software security.

jS and I discuss how software architecture is being pulled by financial 
services instead of being pushed by technology firms, why architecture risk 
analysis is so important (and so hard to automate), the bias that developers 
and security practitioners show towards security features rather than software 
security Touchpoints, and enterprise use of static analysis tools.

Have a listen: http://www.cigital.com/silverbullet/

As always, your feedback on Silver Bullet is welcome.  This episode's victim in 
particular was suggested by Kevin Wall.  Who do you want to hear on Silver 
Bullet?

gem

P.S. Can you tell December starts tomorrow?  I am squeaking past the monthly 
deadlines with hours to spare this month!

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] informIT: Software Security Training

2011-10-31 Thread Gary McGraw
hi sc-l,

Happy Halloween everybody.

Sammy Migues and I just published an article on Software Security Training in 
informIT based on a decade of experience delivering software security training:
http://www.informit.com/articles/article.aspx?p=1767770

The article includes some analysis of both data from the BSIMM study and 
information from Cigital's Training practice.  FWIW, we estimate we have 
trained 14,000 developers using instructor led training.  Our computer based 
training (CBT) is deployed to 105,000 students.  Plenty of real world data.

Training is an essential part of any software security initiative.  As we 
refocus our efforts in software security to be more about fixing software 
security problems and less about simply finding problems in software, training 
will play an even bigger role.

What are the rest of you seeing out there on the training front?

gem

p.s. Thanks to Mike Pittenger for his help with the article.

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] silver bullet: bill pugh

2011-10-31 Thread Gary McGraw
hi sc-l,

The 67th Silver Bullet podcast features Bill Pugh.  Bill is an alpha geek who 
is currently a professor at University of Maryland.  You may know his FindBugs 
project if you're a Java person.  You may not know that Bill is also a fire 
eater who once lit my solstice bonfire in an interesting ritual.

Our conversation ranged far and wide on this episode and is likely to be 
appreciated by more technical listeners.

http://www.cigital.com/silverbullet/show-067/

Trick or treat.

gem

company www.cigital.com
articles www.cigital.com/~gem/writings/
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] BSIMM3 lives

2011-10-18 Thread Gary McGraw
hi steve and sc-l,

Sorry for the delay in responding.  I am just catching up after spending
last week in Bloomington, Indiana.  Some quick answers:

 1) Was any analysis done to ensure that the 3 levels are consistent
 from a maturity perspective - for example, if an organization
 performed an activity at level 2, that there was a high chance that
 it also performed many of the level-1 activities?  For example,
 many T2.x activities were done by more organizations than their
 counterpart T1.x activities, and there's a similar pattern with
 some SR2.x versus SR1.x.

We have done that kind of analysis twice...once between BSIMM and BSIMM2
and again between BSIMM2 and BSIMM3.  Our main objective is to ensure that
the levels we have identified hold statistical water in the entire
population.  We are less concerned with particular threads or associated
activity chains at this point.  The (10) minor adjustments to the BSIMM
that we have made over the years were driven by data analysis.

 2) Any thoughts on why the financial services vertical scored
 noticeably lower than ISVs on Code Review, Architectural Analysis,
 etc.?  Maybe ISVs have a better infrastructure for launching
 these activities because code development is a core aspect of
 their business?

Good question.  The main thing we noticed between BSIMM2 and BSIMM3 is
that ISVs began to pull away from FIs as a population in terms of
maturity.  This is most likely due to different approaches to the
recession.  The FIs pulled back from all operations and restructured staff
(often with layoffs).  The ISVs reinvested their profits into themselves
(and slowed the MA engine down a gear or two).  Some of the ISV
investment went directly into the SSG.

Back in BSIMM2, there was only a 9 activity difference between ISVs and
FIs as populations given a T test (see Figure 4 of BSIMM2: Measuring the
Emergence of a Software Security Community
http://www.informit.com/articles/article.aspx?p=1592389 (May 12, 2010)).
 I am sure this has widened.

WRT technical activities such as code review and architecture analysis,
your theory is a good one.  I would enhance it by pointing out that
process-oriented activities are often an easier thing for FIs to establish
than for ISVs.  These two factors together are likely to account for the
difference.

 3) The wording about OWASP ESAPI in SFD2.1 is unclear: Generic open
 source software security architectures including OWASP ESAPI should
 not be considered secure out of the box.  Does Struts, mentioned
 earlier in the paragraph, also fall under the category of not
 secure out of the box?  Are you saying that developers must be
 careful in adopting security middleware?

Of course struts is not secure out of the box, which is the whole point of
the activity.  The major difference between struts as insecure and ESAPI
as insecure is that ESAPI claims to be a secure solution, though it is
often not.  One might argue that it is worse to claim to be secure and not
to be than to ignore the whole thing, but that's not really worth
pursuing.  For more regarding Cigital's view on ESAPI, see
http://www.cigital.com/justiceleague/2011/09/24/suggestions-for-esapi-2-1-a
nd-beyond/ 

Thanks for your questions.  Hope these answers help.

gem

P.S. Cross posting to the BSIMM list.


company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com










On 10/15/11 5:45 PM, Steven M. Christey co...@rcf-smtp.mitre.org wrote:


Gary,

Congratulations to you, Brian, Sammy, and the rest of the BSIMM3
community!

I have a few questions:

1) Was any analysis done to ensure that the 3 levels are consistent
from a maturity perspective - for example, if an organization
performed an activity at level 2, that there was a high chance that
it also performed many of the level-1 activities?  For example,
many T2.x activities were done by more organizations than their
counterpart T1.x activities, and there's a similar pattern with
some SR2.x versus SR1.x.

2) Any thoughts on why the financial services vertical scored
noticeably lower than ISVs on Code Review, Architectural Analysis,
etc.?  Maybe ISVs have a better infrastructure for launching
these activities because code development is a core aspect of
their business?

3) The wording about OWASP ESAPI in SFD2.1 is unclear: Generic open
source software security architectures including OWASP ESAPI should
not be considered secure out of the box.  Does Struts, mentioned
earlier in the paragraph, also fall under the category of not
secure out of the box?  Are you saying that developers must be
careful in adopting security middleware?


- Steve


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is 

Re: [SC-L] BSIMM3 lives

2011-10-18 Thread Gary McGraw
hi chris,

Thanks for posting your data.  This is great.

The forty-two participating organizations in BSIMM3 are drawn from eight
verticals (with some overlap): financial services (17), independent
software vendors (15), technology firms (10), telecommunications (3),
insurance (2), energy (2), media (2), and healthcare (1). Those companies
among the forty-two who graciously agreed to be identified include: Adobe,
Aon, Bank of America, Capital One, The Depository Trust  Clearing
Corporation (DTCC), EMC, Fannie Mae, Fidelity, Google, Intel, Intuit,
Mashery, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Scripps
Networks Interactive, Sony Ericsson, Standard Life, SWIFT, Symantec,
Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo, and Zynga.

ISVs: Adobe, EMC, Google, Intuit, Mashery, McKesson, Microsoft, SAP, Sony
Ericson, Symantec, Vmware, Zynga (and 3 un-named firms).

Though our ISV population is certainly biased towards big companies, there
are a couple of smaller firms in the mix (and even some very small ones).

I basically agree with Steve's theory on why code review, architecture
analysis, and security testing are more commonly observed in ISVs (with
the added comment regarding FIs and process).

gem

P.S.  Cross posting to the BSIMM list again.

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

On 10/17/11 11:49 AM, Chris Wysopal cwyso...@veracode.com wrote:

Steve,

Here is some information relative to your inquiry point #2 below.

Veracode's data from our State of Software Security Report Vol 3 found
that internally developed financial services software had less and lower
severity defects than ISVs.  ISVs actually had the worst security through
the lens of our automated static and dynamic analysis. Chart is attached.
Here are the numbers:

Application Performance by Industry (% acceptable level of security)

Overall42%
Financial  47%
Government 50%
Software   34%
Other  40%

Sample size is 4835 applications total.

One theory on the discrepancy between what we are seeing and BSIMM is our
sample of ISVs spans the entire industry by revenue.  We had many
companies in each of the following revenue categories: Under $50M,
$50-500M, $500M-1B, and over $1B.  Looking at the BSIMM ISV participants,
the companies all look like they are in the over $1B category.

But to add a contradicting data point, we found that % acceptable level
of security didn't change much based on ISV revenue. Whisker chart
attached.  I pulled out this data in my argument against Mary Ann
Davidson when she posited that maybe small ISVs can't be trusted to get
software security right but big companies can.

-Chris


-Original Message-
From: sc-l-boun...@securecoding.org
[mailto:sc-l-boun...@securecoding.org] On Behalf Of Steven M. Christey
Sent: Saturday, October 15, 2011 5:45 PM
To: Gary McGraw
Cc: Secure Code Mailing List
Subject: Re: [SC-L] BSIMM3 lives


Gary,

Congratulations to you, Brian, Sammy, and the rest of the BSIMM3
community!

I have a few questions:

1) Was any analysis done to ensure that the 3 levels are consistent
from a maturity perspective - for example, if an organization
performed an activity at level 2, that there was a high chance that
it also performed many of the level-1 activities?  For example,
many T2.x activities were done by more organizations than their
counterpart T1.x activities, and there's a similar pattern with
some SR2.x versus SR1.x.

2) Any thoughts on why the financial services vertical scored
noticeably lower than ISVs on Code Review, Architectural Analysis,
etc.?  Maybe ISVs have a better infrastructure for launching
these activities because code development is a core aspect of
their business?

3) The wording about OWASP ESAPI in SFD2.1 is unclear: Generic open
source software security architectures including OWASP ESAPI should
not be considered secure out of the box.  Does Struts, mentioned
earlier in the paragraph, also fall under the category of not
secure out of the box?  Are you saying that developers must be
careful in adopting security middleware?


- Steve
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org List information,
subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com) as a free, non-commercial service to the software
security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http

[SC-L] BSIMM3 lives

2011-09-27 Thread Gary McGraw
hi sc-l,

BSIMM3 was just posted.  You can download it from http://bsimm.com

Since the first BSIMM interview in October 2008, we’ve progressed from 9 to 30 
to 42 firms (and more, at this point). We’ve also measured 11 firms twice—with 
about 19 months between measurements on average—providing the software security 
community with unique insight on how software security initiatives change over 
time. Assessing 42 individual firms and performing 11 re-assessments required 
81 sets of in-depth interviews in just a shade less than three years.

Some highlights for the third major release of the BSIMM:

 *   BSIMM3 now includes 42 firms
 *   BSIMM3 describes 109 activities in 12 practices with 2 or more real 
examples for each activity (all completely revised since BSIMM2)
 *   11 firms have been measured twice (giving us Longitudinal Study data) and 
the data show measurable improvement
 *   The BSIMM3 data set has 81 distinct measurements (some firms measured 
twice, some firms have multiple divisions measured separately)
 *   BSIMM3 describes the work of 786 SSG members working with a satellite of 
1750 people to secure the software developed by 185,316 developers
 *   BSIMM3 is available for free on the BSIMM website 
http://bsimm.comhttp://bsimm.com/

The BSIMM remains the only measuring stick for software security initiatives 
based on science.  It is extremely useful for comparing the initiative of any 
given firm to a large group of similar firms.  The BSIMM has been used by 
multiple firms to strategize and plan their software security initiatives and 
measure the results.

We're proud of this work and the data we have gathered.  Please let us know 
what you think.

gem, brian, and sammy

P.S.
p.s.  Here are the companies and software security executives participating in 
this work.  Thanks to each  and every one of you!
Adobe (Brad Arkin), Aon (Trey Keifer), Bank of America (Jim Apple), Capital One 
(Bryan Orme), DTCC, EMC (Eric Baize), Fannie Mae (Ted Jestin), Google (Eric 
Grosse), Intel (Jeff Cohen), Intuit (Shaun Gordon), McKesson (Mike Wilson), 
Microsoft (Steve Lipner), Nokia (Antti Vähä-Sipilä and Janne Uusilehto), 
QUALCOMM (Alex Gantman), Sallie Mae (Jerry Archer), SAP (Gunter Bitz), Scripps 
Networks Interactive (Greg Allender), Sony Ericson (Per-Olof Persson), Standard 
Life (Mungo Carstairs and Alan Stevens), SWIFT (Peter De Gersem and Alain 
Desausoi), Symantec (Cassio Goldschmidt), Telecom Italia (Marco Bavazzano), 
Thomson Reuters (Tom Lawton and Andrew Rowson), Visa (Gary Warzala), VMware 
(Kris Inglis), Wells Fargo (Eric Kurnie), and Zynga (Chris Peterson).   Some 
companies have chosen to participate anonymously.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


  1   2   3   4   >