hi sc-l, OWASP just posted an interview with me as part of their budding podcast series. It's nice to have the tables turned after doing all the Silver Bullet (and Reality Check) interviews! It's also nice to be able to answer some of the questions that OWASP types have about Cigital's approach to software security.
Download the podcast here: https://www.owasp.org/index.php/Podcast_5 The OWASP interviewer is Jim Manico, and he did a great job. He was a little worried about some of the questions he asked. In fact, off the record he kept saying he was sorry and telling me that I did not have to address certain questions. Personally, I enjoyed the questions he asked immensely. Though some of his questions were loaded, I do hope that my answers may serve to clarify our position and eliminate OWASP concerns. Here are a few of the many more questions I address in the podcast: * Why do you insist on use of the term "software security" as opposed to "application security"? * What is static analysis good for and what is it no good for? * What is the exact relationship between Cigital and Fortify? * Why do you think your "top 19" is any better than the OWASP top 10 or the CWE top 25? (Special note, the 19 Sins work is Mike Howard's and John Viega's...I was not involved.) * Why does Cigital have a proprietary approach to IP? * What makes the Touchpoints any better than the SDL or CLASP? * What is your relationship with Allan Paller and SANS? * Who picked the "porn music" theme for Silver Bullet? As an extra bonus, the theme music for this episode is a song written and recorded by my band Where's Aubrey. Anyway, enjoy the podcast, and let me know what you think about my answers! gem company www.cigital.com podcast www.cigital.com/silverbullet podcast www.cigital.com/realitycheck blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
