from:"Gary McGraw"

[SC-L] Silver Bullet 123: Yanek Korff

2016-07-06 Thread Gary McGraw

hi sc-l,

The latest installment of Silver Bullet was posted this morning.  Silver Bullet 
episode 123 features a conversation with Yanek Korff.  Yanek worked for many 
years at Cigital as a system administrator back in the early days.  He then 
moved on to operational security work at AOL and running managed security 
services at Mandiant.   

We talk about managing technical people in this episode.  We also discuss 
operational security.  Have a listen: 

http://bit.ly/SB-yanek 

As always, your feedback on Silver Bullet (including suggestions for future 
victims) is most welcome.

gem

http://garymcgraw.com 



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 122: David Nathans

2016-06-07 Thread Gary McGraw

Hi  sc-l,

The latest episode of Silver Bullet features a conversation with David Nathans 
from Siemens Healthcare.  David got his start in security ops, and even wrote a 
book about that.  But he completely understands why product security is 
essential in the modern world and has been moving things in the right direction 
when it comes to medical devices.  

Have a listen: http://bit.ly/SB-nathans  

As always, your feedback is welcome.

gem

http://garymcgraw.com 



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Jack from Codiscope: Static Analysis for Node.JS

2016-05-20 Thread Gary McGraw

Hi sc-l,

New tech stacks call for new static analysis approaches.  Check out Jacks (free 
for developers) from Codiscope:

https://codiscope.com/not-your-fathers-code-review/ 

gem

https://www.garymcgraw.com/ 
@cigitalgem 


smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 121: Marty Hellman

2016-05-10 Thread Gary McGraw

hi sc-l,

While I was away in Europe, Silver Bullet 121 went live.  This episode is an 
interview with recent Turing award winner and public key crypto inventor Marty 
Hellman.  I met Marty this year at RSA the night he won the Turing award.  He’s 
a hugely interesting guy.

We talk math, crypto, politics, and the history of the first two crypto wars.  
Marty put his own career (and freedom) on the line in the first!  It’s super 
interesting.  We also talk about nuclear non-proliferation which Marty has been 
actively working on for many years.

http://bit.ly/SB-marty 

Have a listen and pass it on.

gem

http://garymcgraw.com 



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet celebrates a decade of shows: Gary McGraw

2016-04-01 Thread Gary McGraw

hi sc-l,

Hard to believe, but Silver Bullet has been running for ten years---120 months 
of shows in a row without missing a month.  To celebrate this accomplishment, 
we shot a video for episode 120 out by the Shenandoah river at my house.  And 
we turned the tables on the interview.  Marcus Ranum, inventor of the firewall, 
interviews me.  

We discuss: software security, internet of (crappy) things, the surveillance 
state, advisory board work, toothbrush dDoS, perl, and evolutionary biology.  
Have a look.  I hope you enjoy it.  

http://bit.ly/SB-gem 

Silver Bullet continues to be a blast to do.  Last time we ran stats last 
October, Silver Bullet had over 1.4 million listens with an episode averaging 
almost 14K listeners.

gem

https://www.garymcgraw.com/




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 119: Jacob West on the IEEE CSD Wearables report (design review)

2016-02-29 Thread Gary McGraw

hi sc-l,

It’s leap day and RSA week!

We just posted Silver Bullet episode 119 featuring BSIMM co-author and IEEE CSD 
co-founder Jacob West talking about the latest IEEE CSD report.   Architecture 
analysis lags behind other touchpoints when it comes to software security 
practices.  The CSD wearables report is intended to help get developers and 
architects more familiar with just what design analysis means:

http://bit.ly/SB-CSDwearable 

Your feedback on the podcast is welcome.

gem

I have a new website https://www.garymcgraw.com/ (TECH | LIFE | MUSIC)



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet: Jack Daniel

2016-02-01 Thread Gary McGraw

hi sc-l,

For the first Silver Bullet of 2016 I have a chat with Jack Daniel, co-founder 
of the Bsides Conferences.  We talk about security communities, the evolution 
of the field, car repair, complex systems, the waning security Rennaissance, 
and other matters.  We conclude with a quick pointer to various tiki 
experiences.

http://bit.ly/SB-jackdaniel

Have a listen.  Your feedback on the podcast is always welcome.

gem

company www.cigital.com
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 117: Jamie Butler

2015-12-26 Thread Gary McGraw

hi sc-l,

The current episode of the Silver Bullet Security Podcast features Jamie 
Butler, CTO of Endgame.  Jamie and I talk rootkits (he wrote the book with Greg 
Hoglund), attack patters, defense and offense.  Jamie has a long career in 
security (17 years) spanning early days at Fort Meade, through Mandiant, to 
Endgame.

Have a listen: http://bit.ly/SB-butler

And happy holidays from Silver Bullet!

gem

company www.cigital.com
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 116: Doug Maughan

2015-12-01 Thread Gary McGraw

hi sc-l,

Doug Maughan is one of the very good people who somehow works in the federal 
government at DHS (I know).  He has been funding reasonable science in computer 
security since his early DARPA days and even once funded some of our work at 
cigital.  We talk about science, research, tech transfer, the research valley 
of death, and why computer security is so badly broken in the federal 
government.

Have a listen: http://bit.ly/SB-maughan

As always, your comments are welcome.  Thanks for listening.  Pass it on!

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 115: mudge

2015-10-29 Thread Gary McGraw

hi sc-l,

Cigital just posted Silver Bullet 115 which features an interview with mudge 
(a.k.a., Peiter Zatko).

https://www.cigital.com/podcasts/show-115-peiter-mudge-zatko/

We talk l0pht, cult of the dead cow, early security days, testifying before 
Congress, why the government is so confused about security, DARPA, DoD, Google, 
and current doings.  Mudge is one of the original hackers from days gone by who 
took his hobby and turned it into a career. (I have known him since I was ten.)

Have a listen and pass it on.

gem

company www.cigital.com
writings www.cigital.com/gem/writings/
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] BSIMM6

2015-10-19 Thread Gary McGraw

hi sc-l,

Today Cigital published Release 6 of the Building Security In Maturity Model 
(BSIMM).  The BSIMM now represents eight years of bringing science to the 
software security.  We have directly measured over 104 companies across 
multiple industries (BSIMM6 covers 78 of them).  BSIMM6 also includes the 
addition of healthcare as a one of the well-represented verticals (10 firms or 
more).

Opinion is rife in computer security, and software security as well.  BSIMM6 
provides a set of facts to both counter and ground opinion in reality.  Want to 
know what the ratio of software security professionals to developers is?  The 
BSIMM knows.  BSIMM6 describes the work of 1,084 SSG members working with a 
satellite of 2,111 people to secure the software developed by 287,006 developers

The BSIMM is a free resource published under the creative commons.  Please use 
it in your own work.  You can download BSIMM6 from the new website 
http://bsimm.com

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com
twitter @cigitalgem


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SearchSecurity: Seven Myths of Software Security

2015-10-06 Thread Gary McGraw

hi sc-l,

You’ve heard these before I’m sure.  Working on expanding or improving your 
software security initiative?  Here are seven of the most common objections we 
see all the time (and what to say in response).

Please read this article: http://bit.ly/swsec-myths

Hopefully you will all find this useful in getting thinking back on track when 
it comes to software security.

As always, your feedback is welcome.  Let me know what you think!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 114: Peter "Pete" Clay

2015-09-30 Thread Gary McGraw

hi sc-l,

Episode 114 of Silver Bullet was just posted.  This episode features Peter 
“Pete” Clay who has served as a CISO in several firms (Deliotte, Invotas, Qlik) 
and has provided security direction both in the Federal government and the 
private sector.

Have a listen: http://bit.ly/SB-pete

As always, your feedback and your suggestions for future episodes greatly 
appreciated!

gem

company www.cigital.com
writings www.cigital.com/gem/writings/
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] The FTC and Software Security

2015-09-17 Thread Gary McGraw

hi sc-l,

I just posted some thoughts on the FTC and software security.

Have a look: http://bit.ly/gem-FTC

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Podcast: Threatpost covers software security

2015-09-12 Thread Gary McGraw

hi sc-l,

Yesterday I recorded an episode of Threatpost with Dennis Fisher.  We talk 
about many current topics, including how to scale software security.

Have a listen and pass it on:
https://threatpost.com/gary-mcgraw-on-scalable-software-security-and-medical-device-security/114640/

Topics covered include: BSIMM6, software security growth, the FTC and security, 
security in startups, medical device security, scaling software security, music

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] [External] Re: SearchSecurity: Dynamism

2015-09-08 Thread Gary McGraw

As far as I know, Microsoft integrated some reference monitoring into their OS 
family under Fred Schneider’s guidance.  They called it “inline reference 
monitoring” and I believe they still use it.

gem

On 9/8/15, 8:49 AM, "SC-L on behalf of Goertzel, Karen [USA]" 
 wrote:

>Yes, we seem to abandon security mechanisms that (1) we can actually trust, 
>and (2) that Microsoft and Google refuse to build.
>
>===
>Karen Mercedes Goertzel, CISSP, CSSLP
>Senior Lead Scientist
>Booz Allen Hamilton
>703.698.7454
>goertzel_ka...@bah.com
>
>"The hardest thing of all is to
>find a black cat in a dark room,
>especially if there is no cat."
>- Confucius
>
>
>
>From: Peter G. Neumann [neum...@csl.sri.com]
>Sent: 06 September 2015 15:24
>To: Goertzel, Karen [USA]
>Cc: Alfonso De Gregorio; Johan Peeters; Secure Code Mailing List
>Subject: Re: [SC-L] [External] Re: SearchSecurity: Dynamism
>
>Reference monitors were a lovely concept, largely invented for multilevel
>security kernels and trusted computing bases, but are almost nonexistent
>in that context.  Yes, they'd be lovely to have, but even the NSA folks
>seem to have abandoned them...
>
>___
>Secure Coding mailing list (SC-L) SC-L@securecoding.org
>List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
>List charter available at - http://www.securecoding.org/list/charter.php
>SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
>as a free, non-commercial service to the software security community.
>Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
>___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Silver Bullet 113: Chandu Ketkar

2015-09-08 Thread Gary McGraw

The URL was apparently scrambled below.  For the SB episode try: 
http://bit.ly/SB-chandu 

gem

On 8/31/15, 12:51 PM, "SC-L on behalf of Gary McGraw" 
 wrote:

>hi sc-l,
>
>The new episode of Silver Bullet features a conversation with Chandu Ketkar. 
>Chandu has 20+ years of experience in software, starting as a developer and 
>working his way to a secure design proponent.  Have a listen:
>http://bit.ly/SB-chandu<https://www.cigital.com/podcasts/show-113-software-security-best-practices/>
>
>We discuss threat modelling, architectural analysis, healthcare security, 
>economics, and what developers think of security (not necessarily in that 
>order).  You can also find out what Chandu’s favorite Indian music is when you 
>listen.
>
>gem
>
>company www.cigital.com
>blog www.cigital.com/justiceleague
>book www.swsec.com
>
>___
>Secure Coding mailing list (SC-L) SC-L@securecoding.org
>List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
>List charter available at - http://www.securecoding.org/list/charter.php
>SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
>as a free, non-commercial service to the software security community.
>Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
>___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 113: Chandu Ketkar

2015-09-06 Thread Gary McGraw

hi sc-l,

The new episode of Silver Bullet features a conversation with Chandu Ketkar. 
Chandu has 20+ years of experience in software, starting as a developer and 
working his way to a secure design proponent.  Have a listen:
http://bit.ly/SB-chandu

We discuss threat modelling, architectural analysis, healthcare security, 
economics, and what developers think of security (not necessarily in that 
order).  You can also find out what Chandu’s favorite Indian music is when you 
listen.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SearchSecurity: Dynamism

2015-08-20 Thread Gary McGraw

hi sc-l,

What is the relationship between dynamic languages and dynamic methodologies?  
What is the impact on software security?

This article provides a gentle introduction: http://bit.ly/gem-dynamic

Feedback welcome.  Pass it on.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 112: Matthew Green and Steve Bellovin on Crypto Back Doors

2015-07-23 Thread Gary McGraw

hi sc-l,

For the latest episode of Silver Bullet, we spoke to two of the fifteen 
co-authors of the Keys Under Doormats paper describing the technical peril of 
implementing crypto back doors as FBI Director Comey has suggested.  Steve 
Bellovin comes at the problem with years of experience and direct involvement 
in the first crypto wars.  Matthew Green comes to the problem with a solid 
understanding of applied cryptography in real world systems.  Have a listen:

http://bit.ly/SB-crypto-wars

As always, your feedback on SilverBullet is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 111: Marcus Ranum

2015-07-07 Thread Gary McGraw

hi sc-l,

Silver Bullet episode 111 is a sneaky one based around a “dirty brilliant 
trick."  The episode features Marcus Ranum, inventor of the proxy firewall and 
all around security guru.  We talk about perimeter security, software security, 
security progress (or lack of such) and whether hackers are necessary for 
security.

http://bit.ly/sb111-mjr   (or for purists 
http://www.cigital.com/silver-bullet/show-111/)

So what was the trick?  At the end of the episode I revealed that during 
episode 3 (recorded exactly 9 years before episode 111), I asked Marcus exactly 
the same set of questions.  Wonder how consistent Marcus is over nine years?  
Compare and contrast http://www.cigital.com/silver-bullet/show-003/

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 110: Paul Dorey

2015-06-04 Thread Gary McGraw

hi sc-l,

Silver Bullet episode 110 features Paul Dorey.  Paul was one of the original 
CSOs of Europe, ultimately serving as the CSO of BP.  He and I are on an 
Advisory Board together, and most recently, Paul and I did a “fernside chat” at 
the BSIMM Europe Conference.  We talk about the CSO job, software security, and 
a few other things on this episode:

http://bit.ly/SB-dorey

As always, your feedback is welcome.  Please post, tweet, share, email, etc.  
Spread the #swsec meme.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] RSA Antidote: Bart Preneel on Silver Bullet 109

2015-04-27 Thread Gary McGraw

hi sc-l,

Lots of us have RSA Conference goo leaking out of our ears by now.  Yerg.  
Here’s a quick antidote from a serious cryptographer.  Bart Preneel is a 
professor at KL Leuven University (founded in 1425).  He is an exceptional 
cryptographer and a huge supporter of software security in Europe.

http://bit.ly/SB-bart

As always, your feedback is welcome.  Two more days of RSA to go.  Please send 
reinforcements.

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 108: Katie Moussouris

2015-03-31 Thread Gary McGraw

hi sc-l,

Just in time for my Spring Break college tour with Eli, here is Silver Bullet 
episode 108, an interview with HackerOne’s Katie Moussouris.

Katie and I talk about bug bounties, early coding (sadly she was a C64 person 
instead of an Apple ][+ person), SDL, BlueHat, mentors, and more.  Have a listen
http://bit.ly/SB-katie

And as always, please pass it on through all media (twitter, facebook, 
linkedin, email, and good old fashioned word of mouth).

Your feedback is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] [searchsecurity] How to structure an SSG

2015-03-31 Thread Gary McGraw

hi sc-l,

During the last BSIMM Conference in Monterey, CA, Caroline Wong ran a 
workshop/session during which all 23 firms present shared their BSIMM 
structures with eachother.  The event was organized as a poster session. It was 
a great event.  Caroline and I took the data, crunched it, organized it, and 
wrote it up in an article that was just published by SearchSecurity.

http://bit.ly/gem-SSG

If you’re wondering how to structure a new SSG, or refactor an existing SSG, 
take a look at what we discovered.

As always, your feedback is welcome. Tweet to be about it @cigitalgem.

gem


company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 107: L Jean Camp

2015-03-02 Thread Gary McGraw

hi sc-l,

Silver Bullet Security Podcast episode 107 just went live.  This episode 
features L. Jean Camp, a professor of Informatics at Indiana in Bloomington.  
Jean has worked on the intersection of privacy, security, technology and policy 
for years.  We discuss usability, implicit security requirements, tranlucent 
security, elders and security and more.  Have a listen: http://bit.ly/SB-camp

As always, your feeback on the episode is welcome.  See you on twitter 
@cigitalgem.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] [article] When risk management goes bad

2015-02-24 Thread Gary McGraw

hi christian,

Good point.

A combined risk score based on “SIL” levels is what I was using in my 
article.  The combination risk score takes into account both technology 
risk and business risk.  Using one component or the other alone is folly.

gem

On 2/24/15, 4:13 AM, "Christian Heinrich"  
wrote:

>Gary,
>
>On Sat, Feb 21, 2015 at 6:13 AM, Gary McGraw  wrote:
>> I wrote my latest SearchSecurity article based on conversations I have 
>>been having with a number of CSOs and
>> security execs.  It’s about what happens when risk management goes bad. 
>> The biggest failure condition seems
>> to be “ignoring the lows” entirely.
>
>"High" technology risks, such as chained exploits, are "low" business
>risks in the context of ISO 31000 et al.
>
>
>-- 
>Regards,
>Christian Heinrich
>
>http://cmlh.id.au/contact

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] [article] When risk management goes bad

2015-02-24 Thread Gary McGraw

hi sc-l,

I wrote my latest SearchSecurity article based on conversations I have been 
having with a number of CSOs and security execs.  It’s about what happens when 
risk management goes bad.  The biggest failure condition seems to be “ignoring 
the lows” entirely.

Anyway, have a read and pass it on: http://bit.ly/risk-gn-bad

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] The Web Platform podcast talks security

2015-02-04 Thread Gary McGraw

hi sc-l,

An entire gaggle of devs and architects interviews me about software security.  
have a listen.  Pass it on >>
http://thewebplatform.libsyn.com/28-securing-your-web-applications

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Superbowl Silver Bullet Security Podcast 106: Steve Katz

2015-02-03 Thread Gary McGraw

hi sc-l,

What’s better than the Superbowl?  Silver Bullet of course!  Hah.  Have a 
listen to episode 106 featuring Steve Katz, widely revered as the world’s first 
CISO.  Steve has served as CISO of citibank/citigroup, JP Morgan, Merril Lynch, 
and Kaiser Permanente.  (We serve on one Advisory Board together.)

http://www.cigital.com/silver-bullet/show-106/

Steve and I discuss security, business, risk management, software security, and 
more.

As always, your feedback and discussion of the episode are welcome.  (Please 
tweet about the episode if you would.)  And happy Superbowl weekend!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet: Whitfield Diffie

2015-01-01 Thread Gary McGraw

hi sc-l,

Merry New Year to you all!!

Episode 105 of Silver Bullet is an interview with Whitfield Diffie.  Whit 
co-invented PKI among other things.  We have an in depth talk about crypto, 
computation, LISP, AI, quantum key distro, and more

http://bit.ly/SB-diffie

As always, your feedback on Silver Bullet is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet: Rick Gordon

2014-12-05 Thread Gary McGraw

hi sc-l,

Silver Bullet episode 104 features Rick Gordon, Managing Partner of Mach37, a 
Virginia-based cybersecurity incubator.  We talk nuclear subs, finance, running 
startups, and just exactly what an incubator does:
http://www.cigital.com/silver-bullet/show-104/

Your feedback is welcome.

gem

@cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] medical device security [searchsecurity]

2014-12-01 Thread Gary McGraw

hi sc-l,

Happy belated dead turkey day to everyone in the US.  Happy today day to 
everyone else.

I'm on my way this week to a healthcare and security meeting in San Francisco 
this week.  Just in time for that, this month's SearchSecurity column focuses 
on healthcare, asking who is in charge (at healthcare facilities) and whether 
we focus too much attention on patient data:
http://searchsecurity.techtarget.com/opinion/McGraw-asks-whos-in-charge-of-medical-device-security?utm_campaign=ssec_security&utm_medium=social&utm_source=twitter&utm_content=1417452411

As always, your feedback is welcome.

gem

@cigitalgem



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet: Brian Krebs

2014-10-31 Thread Gary McGraw

hi sc-l,

Silver Bullet episode 103 features Brian Krebs, whose website
http://krebsonsecurity.com is among the leading security reporting sites on
the planet.  Brian was once a reporter for the Washington Post, but he went
solo after being let go (too deep for the dinosaur).  Krebs broke a number
of important stories in 2014, including the Target and Home Depot breaches
(among others). 

In our conversation, we discuss old media vs new media, Russian crime
syndicates, poltical strategy and cyber security, and why the government is
so far behind in software security.

http://www.cigital.com/silver-bullet/show-103/

As always, your feedback on Silver Bullet is welcome (try tweeting to
@cigitalgem).  Thanks for listening.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com 
twitter @cigitalgem





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 102: Richard Danzig

2014-09-21 Thread Gary McGraw

hi sc-l,

The 102nd monthly episode of the Silver Bullet podcast features a conversation 
with Richard Danzig.  Richard is a very accomplished leader who served as 
Secretary of the Navy (among other powerful positions).  He is currenty a 
member of the Board of the Center for a New American Security.  Richard is 
attempting in his recent work to bridge the gap between technologists and 
Washington policy makers when it comes to cybersecurity.

http://www.cigital.com/silver-bullet/show-102/

Our wide ranging conversation focuses mostly on a recent report Richard 
authored titled “Surviving on a Diet of Poisoned Fruit: Reducing the National 
Security Risks of America’s Cyber Dependencies” 
 which I encourage you all 
to read.  At the end of our conversation we discuss when technologists like 
ourselves can do to improve computer security policy in Washington.

As always, your feedback on the podcast is welcome.

In other news, I hope to see some of you at Appsecusa in Denver this week.  I 
am giving Friday morning’s keynote.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] IEEE Center for Secure Design [searchsecurity and silver bullet]

2014-08-27 Thread Gary McGraw

hi sc-l,

This evening in SF we are officially launching the IEEE Center for Seure Design 
with a small event including security people and press.  Jim DelGrosso and I 
will make a short presentation about the CSD during the launch.

 I devoted both of my monthly pieces (Silver Bullet and SearchSecurity) to the 
CSD this month.

Please check out this article and pass it on:
http://bit.ly/CSD-SS  


Also have a listen to the new Silver Bullet podcast featuring Del, Christoph 
Kern from Google, and Yoshi Kohno from University of Washington where we all 
discuss the CSD:
http://www.cigital.com/silver-bullet/show-101/

Finally, note that the IEEE CSD website and an associated work called “Avoiding 
the Top Ten Software Security Flaws” will be live soon:
http://cybersecurity.ieee.org/center-for-secure-design.html

Make sure to read the CSD document.  It’s good stuff.  Discussion welcome!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet Episode 100 (!!): Cigital's Principals

2014-07-23 Thread Gary McGraw

hi sc-l,

Thanks for listening to the Silver Bullet Security Podcast for the eight 1/3 
years it has been produced.  Each episode has been downloaded over 10,787 times 
on average with over 1,067,948 downloads for the podcast as a whole.  That's 
lots of listening!

To celebrate our 100 months in a row landmark, we shot a live video version of 
Silver Bullet at the Cigital Tech Fair this month.  The episode features 
Cigital’s Principals, all technical leaders in software security: John Steven, 
Scott Matsumoto, Paco Hope, Jim Del Grosso and Sammy Migues.  Ever wonder who 
is optimistic about progress in computer security and who is pessimistic?  Find 
out at the end of the episode!  A majority of the episode is devoted to 
software security, with forrays into Frameworks, static analysis, mobile 
security, architecture analysis, the BSIMM and more.

http://bit.ly/SB-100   (or http://www.cigital.com/silver-bullet/show-100/)

Special thanks to Ryan Macmichael, Brandi Ortega, and Jenny Stout for their 
help behind the scenes over the years.   Silver Bullet could not be produced 
without them.

As always, your feedback on the episode and on the podcast as a whole is 
welcome.  Thanks again for making Silver Bullet a success.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] [External] Re: SearchSecurity: Medical Devices and Software Security

2014-07-08 Thread Gary McGraw

he real potential hazards of the
>>Internet of Things.
>
>+1. Dr. Geer has already warned about it at
>http://www.lawfareblog.com/2014/04/heartbleed-as-metaphor/. Can you
>imagine the IoT, with medical devices and avionics packages, running
>around with little to no testing and little more that the browser
>security model. Clear the cache to erase the evidence!!!
>
>> Manufacturers of the latter need to stop trying so bloody hard to
>>"improve" products that no longer need improvement.
>
>This is a political problem rooted in software liability laws (or lack
>thereof). Too many carrots, not enough sticks
>
>As it stands, its cost effective to do nothing. The risk analysis
>equations need to be tipped in favor of the consumer or user. One it
>starts costing money to do nothing, doing nothing will no longer be
>economically feasible. The market will drive meaningful change (as
>opposed to the water downed legislation with no teeth bought and paid
>for by lobbyist and special interests).
>
>Jeff
>
>On Mon, Jul 7, 2014 at 10:52 AM, Goertzel, Karen [USA]
> wrote:
>> Ever since I read an article about the challenges of remote laser
>>surgery being done by doctors at the Naval Hospital in Bethesda, MD, via
>>satellite link on wounded soldiers in Iraq, I've been warning for years
>>about the need to apply software assurance principles to the development
>>and testing - and SCRM to the acquisition - of medical devices and their
>>embedded software. I'm delighted to see someone with your influence
>>start warning those who confuse software correctness and safety with
>>software security of the potential havoc that can potentially be wrought
>>by malevolent actors as these little widgets become increasingly
>>networked and even Internet-accessible.
>>
>> What I want to know is this: When is someone who can actually make a
>>difference going to FINALLY figure out the real potential hazards of the
>>Internet of Things. Certain physical systems and devices really should
>>NEVER be connected to the public Internet - e.g., most Industrial
>>Control Systems, all medical devices, any plane, train, or automobile.
>>And others really never NEED to be Internet-connected. I mean, do we
>>really, REALLY need to be able to access our refrigerators or washing
>>machines over the Web? Aren't we all growing obese enough without making
>>things so bloody convenient that we needn't even walk the 20 feet from
>>the bedroom to the kitchen or laundry room to program the coffee maker
>>or start another rinse cycle?
>>
>> Manufacturers of the latter need to stop trying so bloody hard to
>>"improve" products that no longer need improvement. There does come a
>>time when a technology goes as far as it can go - and any further
>>attempts to "improve" it are either purely cosmetic, unnecessary, or
>>dangerous. I wish all these manufacturers who waste their times trying
>>to invent a better toaster would, instead, invent something entirely new
>>to solve a problem that hasn't already been solved quite adequately for
>>many decades. No wonder American manufacturing is no longer competitive.
>>All they do is continually rearrange deck chairs on the Titanic to
>>improve the view as the boat sinks, instead of inventing a new means of
>>transportation that actually CANNOT be taken down by an iceberg.
>>
>>
>> ===
>> Karen Mercedes Goertzel, CISSP
>> Senior Lead Scientist
>> Booz Allen Hamilton
>> 703.698.7454
>> goertzel_ka...@bah.com
>>
>> "Answers are easy. It's asking the right questions which is hard."
>> - The Doctor
>>
>> 
>> From: SC-L [sc-l-boun...@securecoding.org] on behalf of security
>>curmudgeon [jeri...@attrition.org]
>> Sent: 06 July 2014 01:21
>> To: Gary McGraw
>> Cc: Chandu Ketkar; Secure Code Mailing List
>> Subject: [External]  Re: [SC-L] SearchSecurity: Medical Devices and
>>Software Security
>>
>> On Mon, 30 Jun 2014, Gary McGraw wrote:
>>
>> : Chandu Ketkar and I wrote an article about medical device security
>>based
>> : on a talk Chandu gave at Kevin Fu?s Archimedes conference in Ann
>>Arbor.
>> : In the article, we discuss six categories of security defects that
>> : Cigital discovers again and again when analyzing medical devices for
>>our
>> : customers.  Have a look and pass it on:
>> :
>> : http://bit.ly/1pPH56p
>> :
>> : As always, your feedback is welcome.
>>
>> Per your request, my feedback:
>>
>&g

[SC-L] Silver Bullet 99: Michael Hicks

2014-07-03 Thread Gary McGraw

hi sc-l,

Silver Bullet Security Podcast number 99 (99 months in a row!!) was just 
posted.  This episode features a programming languages smorgasbord with Michael 
Hicks, professor of CS and security at University of Maryland.  We talk type 
safety, closure, why C is bad, what makes dynamic languages like Javascript 
problematic, and so on.  If you like programming languages talk, you’ll dig 
this episode.

Have a listen: https://www.cigital.com/silver-bullet/show-099/

As always, your feedback on the podcast is welcome.  We’re shooting a video for 
episode 100!!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SearchSecurity: Medical Devices and Software Security

2014-07-03 Thread Gary McGraw

hi sc-l,

Chandu Ketkar and I wrote an article about medical device security based on a 
talk Chandu gave at Kevin Fu’s Archimedes conference in Ann Arbor.  In the 
article, we discuss six categories of security defects that Cigital discovers 
again and again when analyzing medical devices for our customers.  Have a look 
and pass it on:

http://bit.ly/1pPH56p

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 98: Bart MIller

2014-06-05 Thread Gary McGraw

hi sc-l,

Bart Miller, computer science professor from Wisconsin, coined the term fuzz 
testing in 1990.  He also is the PI for the DHS SWAMP---a software assurance 
marketplace of sorts.  Bart knows a ton abiut software analysis.

In episode 98 of Silver Bullet, we geek out about software security, hearbleed, 
fuzz testing. fault injection, and instrumenting binary code as it runs.  Have 
a listen: http://www.cigital.com/silver-bullet/show-098/

Your feedback is welcome.  Pass it on!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 97 + SearchSecurity Heartbleed

2014-05-06 Thread Gary McGraw

hi sc-l,

Heartbleed?   Who cares?  We do.  Real lessons here >> http://bit.ly/1lBKDsE

Silver Bullet 97.  Programming languages actually matter. >> 
http://www.cigital.com/silver-bullet/show-097/

Read. Listen. Share. React.

We want your feedback.

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 96: Nate Fick, CEO of Endgame (and combat veteran)

2014-04-04 Thread Gary McGraw

hi sc-l,

Nate Fick is an interesting man.  He has a classics degree from Dartmouth, 
where he is now a Trustee.  He served combat tours in Afghanistan and Iraq, 
resulting in the book “One Bullet Away” and the HBO series “Generation Kill.”  
He served as the CEO of an important new think thank, the Center for New 
American Security.  While he was at CNAS, we wrote this: 
http://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf  And then he 
transitioned to become CEO or Endgame.  When he did that, I was worried, since 
Endgame was performing services that did not help security at all.  He has 
turned Endgame around completely.

We talk about that, about “cyber war” versus real war, policy people in 
Washington, security hype, and running a startup in the security space.  Have a 
listen, and pass it on: http://www.cigital.com/silver-bullet/show-096/

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] [External] Firewalls, Fairy Dust, and Forensics

2014-04-04 Thread Gary McGraw

hi karen,

Good point, and one that I usually make!  I agree.

gem

On 4/1/14, 9:16 AM, "Goertzel, Karen [USA]"  wrote:

>The one point that's missing from the article is to remind people: What
>the heck do you think firewalls are made of? Software! So unless a
>software manufacturer has got "software security religion", their product
>is just as likely to be "broken" inside than the things it allegedly
>protects. 
>
>===
>Karen Mercedes Goertzel, CISSP
>Lead Associate
>Booz Allen Hamilton
>703.698.7454
>goertzel_ka...@bah.com
>
>"I love humans. Always seeing patterns in things that aren't there."
>- The Doctor
>
>____
>From: SC-L [sc-l-boun...@securecoding.org] on behalf of Gary McGraw
>[g...@cigital.com]
>Sent: 31 March 2014 18:40
>To: Secure Code Mailing List
>Subject: [External]  [SC-L] Firewalls, Fairy Dust, and Forensics
>
>hi sc-l,
>
>Ever get discouraged that we have not been making enough progress in
>software security?  Well, we have been making plenty of progress and our
>field is growing fast!   This peppy little article (co-authored with
>Sammy Migues) explains why firewalls, fairy dust, and forensics are not
>working out for computer security.
>
>Oh, and software security is growing at 20% CAGR and now accounts for 10%
>of the computer security market (which is itself growing at 8.9%).  We
>are in the right field, and the this mailing list is a major help.
>
>Please read this: 
>http://searchsecurity.techtarget.com/opinion/McGraw-Firewalls-fairy-dust-a
>nd-forensics-Try-software-security  Then have your SSG members read it.
>You do have an SSG, right?
>
>Feel free to post links to twitter, facebook, linkedin, and send it
>around (by pointer).  I would really appreciate that.
>
>Thanks!
>
>gem
>
>company www.cigital.com
>podcast www.cigital.com/silverbullet
>blog www.cigital.com/justiceleague
>book www.swsec.com
>
>___
>Secure Coding mailing list (SC-L) SC-L@securecoding.org
>List information, subscriptions, etc -
>http://krvw.com/mailman/listinfo/sc-l
>List charter available at - http://www.securecoding.org/list/charter.php
>SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
>as a free, non-commercial service to the software security community.
>Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
>___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Firewalls, Fairy Dust, and Forensics

2014-04-01 Thread Gary McGraw

hi sc-l,

Ever get discouraged that we have not been making enough progress in software 
security?  Well, we have been making plenty of progress and our field is 
growing fast!   This peppy little article (co-authored with Sammy Migues) 
explains why firewalls, fairy dust, and forensics are not working out for 
computer security.

Oh, and software security is growing at 20% CAGR and now accounts for 10% of 
the computer security market (which is itself growing at 8.9%).  We are in the 
right field, and the this mailing list is a major help.

Please read this: 
http://searchsecurity.techtarget.com/opinion/McGraw-Firewalls-fairy-dust-and-forensics-Try-software-security
  Then have your SSG members read it.  You do have an SSG, right?

Feel free to post links to twitter, facebook, linkedin, and send it around (by 
pointer).  I would really appreciate that.

Thanks!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] IEEE Computer article

2014-03-26 Thread Gary McGraw

hi sc-l,

I was asked to write an article for IEEE Computer’s security column this month. 
 It’s about software security.

Security Fatigue? Shift Your 
Paradigm, (IEEE 
Computer Society, March 2014)

As always, your feedback is welcome.  You can find many of my writings here: 
http://www.cigital.com/~gem/writings/

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Paul dot com podcast on #swsec at 6pm EST

2014-03-20 Thread Gary McGraw

hi sc-l,

Tonight at 6pm EST I will be participating in a paul dot com webcast and 
talking all things software security.  Please tune in if you can, and spread 
the word!

http://securityweekly.com/watch

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 95: Charlie Miller

2014-02-28 Thread Gary McGraw

hi sc-l,

Greetings from RSA, where the show gets underway today.  I hope to see some 
sc-l readers out here.  (Come see us duing the show 
https://www.cigital.com/blog/2014/01/rsa-2014/.)

Episode 95 of silver bullet features a conversation with Charie Miller, who now 
works at Twitter as a security engineer.  Charlie is well known for his 
spectacular Apple hacks.  Lately, he has turned his attention to cars.  We talk 
about fuzzing, exploit development, and their relationship to software security.

http://www.cigital.com/silver-bullet/show-095/

Have a listen and pass it on.  As always, your feedback is welcome

gem

company www.cigital.com
podcast www.cigital.com/silver-bullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 94: Ming Chow (Tufts)

2014-02-03 Thread Gary McGraw

hi sc-l,

Episode 94 (in a row) of Silver Bullet features a conversation with Ming Chow, 
a developer who got interested in security and accidentally became a software 
security guy teaching at Tufts.  We talk about that.  We talk about exploiting 
online games (and using that as a teaching mechanism).  And mostly we wonder 
how to get real developers more interested in software security.  Have a listen:

http://www.cigital.com/silver-bullet/show-094/

As always, your feedback is welcome.

gem

company http://www.cigital.com
blog http://www.cigital.com/justiceleague
book http://www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SearchSecurity: Scaling Automated Code Review

2014-01-29 Thread Gary McGraw

hi sc-l,

The latest monthy SearchSecurity article was co-authored with Jim Routh, CSO of 
Aetna.  What Jim is doing for his fifth (!!) software security initiative is 
very interesting.  So interesting that we decided to write about it.

In particular pay attention to Jim's use of a light weight IDE-based static 
analysis tool.  This is important for two reasons: 1) because it runs on all 
dev desktops (and thus scales) and 2) because it finds problems in real time as 
they are being typed in. FIXING security problems found in this way is easier 
than it is in the situation when results arrive a week after they are typed in 
when dev on a new sprint.

Scaling Automated Code Review: http://bit.ly/1iIcAPB

< here is a long URL version 
http://searchsecurity.techtarget.com/opinion/McGraw-Software-insecurity-and-scaling-automated-code-review>

As always, your feedback is welcome.  Pass it on!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 93: Yoshi Kohno

2013-12-26 Thread Gary McGraw

hi sc-l,

When it rains, it pours.  Just in time for xmas eve, here is Silver Bullet 
episode 93.   The podcast features a discussion with Yoshi Kohno (a cigital 
alum) who is now a computer science professor at University of Washington.

You've probably heard of Yoshi's car hacking stuff (or maybe even seen it on 
Nova).  Yoshi has one of the best vulnerability finding minds in the business.

http://www.cigital.com/silver-bullet/show-093/

Pass it on!  And merry new year.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SearchSecurity: Scaling Architectural Risk Analysis

2013-12-26 Thread Gary McGraw

hi sc-l,

Following on the heels of our SearchSecurity article on Architectural Risk 
Analysis (probably the most difficult touchpoint in software security), Jim 
DelGrosso and I write about  how to scale ARA.

http://bit.ly/19Jmk7f  (or 
http://searchsecurity.techtarget.com/opinion/McGraw-Software-insecurity-and-scaling-architecture-risk-analysis)

Merry new year to you all.   We welcome your feedback.

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] BSIMM-V Article in Application Development Times

2013-12-17 Thread Gary McGraw

hi sc-l,

>From time to time we talk about getting to the dev community here.  This 
>article is at least in the right publication!

Read it and pass it on: 
http://adtmag.com/blogs/watersworks/2013/12/bsimm-v-released.aspx

Salubrious solstice!  One week and one day to go.

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 92: Jon Callas

2013-11-27 Thread Gary McGraw

hi sc-l,

Just in time for turkey-induced coma listening time, Silver Bullet episode 92 
features Jon Callas.  Jon is an old school geek (on the net since 1979) who has 
occupied a front row seat during all of the crypto wars.  His company Silent 
Circle is actively trying to build a real secure email solution that even the 
NSA can't break.  We had a very interesting chat.  We even talked directly 
about Snowden.  I hope you like it:

http://www.cigital.com/silver-bullet/show-092/

As always, your feedback on the podcast is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] BSIMM-V is alive

2013-10-30 Thread Gary McGraw

hi sc-l,

I am proud to announce that the BSIMM-V document is complete and the website 
has been entirey revised/updated.  Please download a copy of BSIMM-V today: 
http://bsimm.com

BSIMM-V describes the software security initiatives at sixty-seven firms, 
including: Adobe, Aetna, Bank of America, Box, Capital One, Comerica Bank, EMC, 
Epsilon, F-Secure, Fannie Mae, Fidelity, Goldman Sachs, HSBC, Intel, Intuit, 
JPMorgan Chase & Co., Lender Processing Services Inc., Marks and Spencer, 
Mashery, McAfee, McKesson, Microsoft, NetSuite, Neustar, Nokia, Nokia Siemens 
Networks, PayPal, Pearson Learning Technologies, QUALCOMM, Rackspace, 
Salesforce, Sallie Mae, SAP, Sony Mobile, Standard Life, SWIFT, Symantec, 
Telecom Italia, Thomson Reuters, TomTom, Vanguard, Visa, VMware, Wells Fargo, 
and Zynga. All told, the BSIMM describes the work of 975 SSG members working 
with a satellite of 1,953 people to secure the software developed by 272,358 
developers.

Software security measurement.

gem


"If you are thinking about developing a software security program, or enhancing 
your existing one, the BSIMM will provide you a tried and true measurement and 
planning tool developed by some of the top security practitioners in the world. 
BSIMM-V is the continued evolution of this data driven set of real world 
software security practices, making it more relevant than ever. If you don’t 
think that a software security program or BSIMM is right for you, well… it’s 
only a matter of time!"

Gary Warzala

CISO, Visa

"Improving any engineering process requires a solid set of empirical metrics 
from which we can compare and contrast our own processes. Software security is 
no exception, and for far too long the community has been relying too heavily 
on anecdotal 'evidence.' Those excuses are no longer valid. Nowhere else will 
you find a more solid set of real world observations than in the BSIMM study. 
I'm happy to see with the release of BSIMM-V that the model has continued to 
grow and improve since its inception."
Kenneth R. van Wyk
KRvW Associates, LLC

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 91: Caroline Wong

2013-10-30 Thread Gary McGraw

hi sc-l,

Episode 91 of Silver Bullet features a conversation with Cigital's Caroline 
Wong.  We talk a lot about BSIMM (behind the scenes) as part of the BSIMM-V 
launch.  BSIMM-V will be officially released at 9am EST 10.30.13!

As an experienced practitioner (Symantec, eBay, Zynga), Caroline brings a 
management perspective to the BSIMM project, directly focused on metrics and 
measurement.  (Nothing like real data.)  We also discuss bug bounty programs, 
"Software Security Initiative (SSI) in a box" (leveraging measurement of 
course), and issues facing women in computer science.

Have a listen: 
http://www.cigital.com/silver-bullet/show-091

And stay tuned for more about BSIMM-V!

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 90: Matthew Green

2013-10-05 Thread Gary McGraw

hi sc-l,

On one of the best Silver Bullet security podcasts in many a moon, I interview 
Matthew Green, research professor at Johns Hopkins university.  Remember that 
university professor whose NSA-related posting was given a takedown notice?  
That was Matthew.  Find out what he thought of all that:

http://www.cigital.com/silver-bullet/show-090/

We also discuss, the difference between theoretical crypto and applied crypto, 
why software securty is so dang hard, ARA, and breakfast cereal.

Have a listen and pass it on.  As always, your feedback is welome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Atlanta event OCT 1st

2013-09-25 Thread Gary McGraw

hi sc-l,

As part of gearing up our Atlanta office, Cigital is co-sponsoring an event 
with TAG (technology association of georgia) on Tuesday October 1st.  The event 
will feature a fireside chat with Marcus Ranum and me about software and 
software security.  "Why is software still so bad, and what are we doing about 
it?" is the official abstract.

The event is open to TAG members and others in the Atlanta area.  If you're 
interested or if you know people in Atlanta who might like to come, please pass 
along this URL : http://bit.ly/1b5qhp4

Hope to see some sc-l readers in Atlanta.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] SearchSecurity: Architecture Risk Analysis

2013-09-19 Thread Gary McGraw

hi marinus,

Sorry for the (spam filter related) delay!

Two of the steps that we define in the ARA article address your idea directly.  
Step1: known-attack analysis certainly leverages knowledge about components, 
packages, and design patterns (associated with known attacks) and "stuff you 
inherit."  And, step3: dependency analysis is almost entirely focused on what 
you suggest.

Have a read: http://bit.ly/1b2f5Zk

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

From: Marinus van Aswegen mailto:mvanaswe...@gmail.com>>
Date: Monday, September 16, 2013 3:15 PM
To: Secure Code Mailing List 
mailto:SC-L@securecoding.org>>
Subject: [SC-L] SearchSecurity: Architecture Risk Analysis

Garry,

We have a step were we figure out how the various architecture intersect and 
synthesize together. After all you inherit more than you define and deliver.

Marinus

-

hi sc-l,

Software security in general spends a lot of time talking about bugs---too much 
time, I believe.  We all know that software defects come in two major 
subclasses: bugs (in the implementation) and flaws (in the design).  So, how do 
you find and FIX flaws?

That's what this month's SearchSecurity column is about.  This article about 
finding security flaws in software with Architecture Risk Analysis.  It is 
co-authored by Jim DelGrosso who is a Principal Consultant at Cigital and runs 
the Architecture practice.

We know this approach works, because we actually use it every day (and have 
done so for over a decade): http://bit.ly/1b2f5Zk   No, it's not easy, and yes 
it takes experience.  Oh well.

gem



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] HP Protect keynote

2013-09-19 Thread Gary McGraw

hi sc-l,

HP just put up a video of the keynote I delivered yesterday at HP Protect.   
Here it is!

http://www.cigital.com/justice-league-blog/2013/09/17/zombies-just-what-dr-mcgraw-ordered/

gem

p.s. Who knows "Dinis in a can??"

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] HP Protect Keynote (next week 9.17.13)

2013-09-15 Thread Gary McGraw

hi dinis,

I will be covering the basics for sure.  I agree with all of your points below.

The trickiest one you bring up is security labels which though it may be a good 
idea is a political swamp.

I am up for an HP Protect band, but I am pretty sure such an idea has never 
crossed the corporate HP mind!

See you in DC.

gem

From: Dinis Cruz mailto:dinis.c...@owasp.org>>
Date: Sunday, September 15, 2013 5:54 AM
To: gem mailto:g...@cigital.com>>
Cc: Casey Callaway mailto:ccalla...@cigital.com>>, 
Secure Code Mailing List mailto:SC-L@securecoding.org>>
Subject: Re: [SC-L] HP Protect Keynote (next week 9.17.13)


I'll be there and am looking forward to seeing it

Can you cover the need to: a) 'talk' to developers using UnitTests, b) stop 
giving developers PDFs/badometers , c) create security Labels for APIs/Apps and 
d) use open source tools like the O2 Platform (and ThreadFix) to integrate+glue 
the application security knowledge created by tools and humans :)

For the record I'm gutted that HP can't organise an 'Conference Band' like the  
'Owasp band' so that we can do our yearly rendition of the 'SQL Injection 
Blues' :)

Dinis

On 15 Sep 2013 09:39, "Gary McGraw" mailto:g...@cigital.com>> 
wrote:
hi sc-l,

This year's keynote talk at HP Protect will be all about software security.  
How do I know?  Well, I'm giving the talk.  You can register here if you want 
to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/

The Discover Performance magazine featured an article about software security 
as one part of the run up to the HP Protect Conference.  You can read that 
here: 
http://bit.ly/153CFDB<http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html>

It's great news for the field that we're being asked to talk about software 
security at a major conference as the keynote.  I hope to see some of you there.

gem

company www.cigital.com<http://www.cigital.com>
podcast www.cigital.com/silverbullet<http://www.cigital.com/silverbullet>
blog www.cigital.com/justiceleague<http://www.cigital.com/justiceleague>
book www.swsec.com<http://www.swsec.com>
twitter @cigitalgem

p.s. Long URL for Kevin 
http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html



___
Secure Coding mailing list (SC-L) 
SC-L@securecoding.org<mailto:SC-L@securecoding.org>
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] HP Protect Keynote (next week 9.17.13)

2013-09-15 Thread Gary McGraw

hi sc-l,

This year's keynote talk at HP Protect will be all about software security.  
How do I know?  Well, I'm giving the talk.  You can register here if you want 
to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/

The Discover Performance magazine featured an article about software security 
as one part of the run up to the HP Protect Conference.  You can read that 
here: 
http://bit.ly/153CFDB

It's great news for the field that we're being asked to talk about software 
security at a major conference as the keynote.  I hope to see some of you there.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

p.s. Long URL for Kevin 
http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SearchSecurity: Architecture Risk Analysis

2013-09-15 Thread Gary McGraw

hi sc-l,

Software security in general spends a lot of time talking about bugs---too much 
time, I believe.  We all know that software defects come in two major 
subclasses: bugs (in the implementation) and flaws (in the design).  So, how do 
you find and FIX flaws?

That's what this month's SearchSecurity column is about.  This article about 
finding security flaws in software with Architecture Risk Analysis.  It is 
co-authored by Jim DelGrosso who is a Principal Consultant at Cigital and runs 
the Architecture practice.

We know this approach works, because we actually use it every day (and have 
done so for over a decade): http://bit.ly/1b2f5Zk   No, it's not easy, and yes 
it takes experience.  Oh well.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

p.s. Long link for Mr Wall: 
http://searchsecurity.techtarget.com/opinion/Opinion-Software-insecurity-software-flaws-in-application-architecture

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 89: Mike Reiter

2013-09-04 Thread Gary McGraw

hi sc-l,

Silver Bullet episode 89 was posted yesterday.  It features a conversation with 
Professor Mike Reiter from UNC.  Mike's work is well known in distributed 
systems and networking.  He has done a bit of work in software security.  Have 
a listen:
http://www.cigital.com/silver-bullet/show-089/

And as always, your feedback is welcome

I'm off to Germany for SecSE and ARES (with plenty of software security 
coverge).

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SearchSecurity: 5 Tech Trends and Software Security

2013-08-11 Thread Gary McGraw

hi sc-l,

SearchSecurity just posted my August article about the intersection of software 
security and 5 major tech trends.  It is enhanced with BSIMM data to spice it 
up.  Have a read http://bit.ly/137efaX (and pass it on!).  Here is a (big ass) 
URL for Kevin: 
http://searchsecurity.techtarget.com/opinion/Five-major-technology-trends-affecting-software-security-assurance

As always, your feedback is welcome.  I'm pleased that our field is getting 
such good exposure on Tech Target.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleage
book www.swsec.com
twitter @noplasticshower

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 88: Christian Collberg

2013-08-01 Thread Gary McGraw

hi sc-l,

Christian Collberg has been among the best academicians in software protection 
for over a decade.  His book "Surreptitious Software" which is really about 
obfuscation, watermarking and digital content protection is part of my Software 
Security Series .  Christian is also an artist 
and a world traveller with a very interesting global perspective.

Have a listen to the 88th consecutive Silver Bullet Security Podcast featuring 
Christian Collberg: http://www.cigital.com/silver-bullet/show-088/

As always, your feedback is welcome (including suggestions for new Silver 
Bullet victims).

gem

company www.cigital.com
blog ww.cigital.com/justiceleague
book www.swsec.com
twitter @noplasticshower



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 87: James Walden

2013-07-01 Thread Gary McGraw

hi sc-l,

Last month, Cigital consultant Joe Harless suggested that I interview his NKU 
professor James Walden.  It was a good idea.  Thanks Joe.  I have known James 
for years.  He uses "Software Security" in some of his classes and he thinks 
about software security all day.

Trained as a particle physicist, James is one of the leaders in academic 
software security.  We talk about all sorts of things, top ten lists, breaking 
versus fixing, bugs and flaws.  James teaches a Secure Software Engineering 
course that is right up our ally here at sc-l.

Have a listen: http://www.cigital.com/silver-bullet/show-087/

And if you have a suggestion for a Silver Bullet episode, let me know!

gem

company www.cigital.com
justiceleague www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SearchSecurity: The NSA leaks (verizon and prism)

2013-06-19 Thread Gary McGraw

hi sc-l,

When we build systems, we need to do some thinking about privacy along with our 
thinking about security.  If we don't anticipate how our systems and the data 
they collect migt be abused, we might not make the right design decicions.  
Just ask Facebook.

Today, SearchSecurity posted my article on the NSA Surveillance.  Please read 
this:
http://bit.ly/15dB1c5  (turns out that Facebook is a bigger offender in my mind 
than the NSA).

We live in a democracy in the United States and it is up to us to make clear to 
our leaders what we expect.  Do some thinking for yourself, and then engage 
your representatives and tell them what you believe we should do about privacy 
as a country.

And when you help build and secure systems, think about what might happen if 
they are turned against us.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] TechTarget: Proactive Security in Financial Services

2013-06-10 Thread Gary McGraw

hi sc-l,

The Financial Services sector is an important advocate for real software 
security.  At FS-ISAC this Spring in Florida, I moderated a panel about that 
(including JP Morgan Chase, Capital One and Fidelity).  The panel resulted in a 
writeup posted today (and published in Information Security Magazine).

 http://bit.ly/163miTX

(kevin longlink 
http://searchsecurity.techtarget.com/opinion/McGraw-Financial-services-develop-a-proactive-posture?utm_medium=EM&asrc=EM_ERU_22003825&utm_campaign=20130610_ERU%20Transmission%20for%2006/10/2013%20(UserUniverse:%20608797)_myka-repo...@techtarget.com&utm_source=ERU&src=5135013)

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleage
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 86: Wenyuan Xu

2013-05-31 Thread Gary McGraw

hi sc-l,

Ever wonder what it is like to be a Chinese scholar living and teaching in the 
US or a woman teaching computer science and engineering?  We talk about that in 
the 86th episode of the Silver Bullet Security Podcast featuring University of 
South Carolina professor Wenyuan Xu: bit.ly/14e8h29 

We also discuss embedded device security (cars, electricity billing systems, 
medical devices), software security, and the distinctly American phenomenon of 
tailgating.

Have a listen.  As always your feedback is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleage
book www.swsec.com
twitter @noplasticshower

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 85:Mobile Security with Jim Routh and Scott Matsumoto

2013-05-03 Thread Gary McGraw

hi sc-l,

Is mobile security a brand new day or the same old same old? The answer
depends on how you look at the problem. If you are a practitioner in the
trenches, there are many new and interesting shiny bits to mobile security. If
you are a security veteran, things look very familiar. In this episode of
Silver Bullet, Jim Routh, Scott Matsumoto and I take on the Necker Cube of
mobile security. Jim Routh is the ultimate security practitioner (until
recently the global head of software security at JPMC and now a major CSO).
Scott Matsumoto, Cigital Principal and head of mobile security, is a software
veteran with years of experience. I do what I can to guide the conversation
with an eye on both the distant past and the quickly approaching future.

Have a listen and pass it on: http://www.cigital.com/silver-bullet/show-085/

As always, your feedback is both welcome and encouraged. What do YOU think?
Same old same old or brand new day?

gem

company www.cigital.com
blog www.cigital.com/justiceleague (see especially
https://www.cigital.com/justice-league-blog/2013/04/30/mobile-different-or-same-sht-different-day/)
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 84: W Hord Tipton of ISC^2

2013-04-05 Thread Gary McGraw

hi sc-l,

Paco Hope and I have debated security certifications for years (a friendly 
battle of sorts).  During my last trip to London on a train to go visit Ross 
Anderson in Cambridge, Paco suggested that I interview ISC^2 Executive Director 
Hord Tipton.  I'm glad I did!

Hord and I talk about his long and storied career in technology and security.   
And yes, we talk about certifying software security professionals with the 
CSSLP certification (which Paco helped develop).  I'm still not sure I believe 
in it, but I do understand what Hord is trying to accomplish more fully.  Have 
a listen:
http://www.cigital.com/silver-bullet/show-084/

As always, thanks for your feedback, and thanks to IEEE S&P for co-sponsoring 
the podcast.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] BSIMM talk at RSA

2013-02-28 Thread Gary McGraw

hi sc-l,

Please come hear my talk "Bug Parades, Zombies and the BSIMM: A Decade of 
Software Security" today at the RSA Conference.  The talk is at 10:40am in room 
132.  I'll be making some of the BSIMM Update data from the RSA BSIMM Mixer 
public.  63 firms and counting.

gem


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Software Security on MSNBC Sunday morning TV (9:20am)

2013-02-24 Thread Gary McGraw

hi sc-l,

It's still early on Sunday, but here is a pointer to the episode: 
http://nbcnews.to/YqeokE

gem

From: gem mailto:g...@cigital.com>>
Date: Saturday, February 23, 2013 4:21 PM
To: Secure Code Mailing List 
mailto:SC-L@securecoding.org>>
Subject: Software Security on MSNBC Sunday morning TV (9:20am)

hi sc-l,

I am slated to be a guest on MSNBC's  "Up With Chris Hayes" tomorrow morning 
(Sunday 2.24)  9:20-10:00am.  They wanted to fly me to NY for the show, but the 
plan now is to do this from the DC studios.  We'll be talking about Cyber War.

About the show: 
http://www.nytimes.com/2012/06/24/fashion/chris-hayes-has-arrived-with-up.html?_r=0

You can bet I will harp on software security!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Software Security on MSNBC Sunday morning TV (9:20am)

2013-02-24 Thread Gary McGraw


hi sc-l,

I am slated to be a guest on MSNBC's  "Up With Chris Hayes" tomorrow morning 
(Sunday 2.24)  9:20-10:00am.  They wanted to fly me to NY for the show, but the 
plan now is to do this from the DC studios.  We'll be talking about Cyber War.

About the show: 
http://www.nytimes.com/2012/06/24/fashion/chris-hayes-has-arrived-with-up.html?_r=0

You can bet I will harp on software security!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] See you next week at RSA 2013

2013-02-22 Thread Gary McGraw

hi sc-l,

I know many sc-l readers will be headed out to San Francisco next week for the 
usual week of chaos surrounding RSA.  Should be a blast as always.

This year I am involved in two public appearances at the RSA conference, both 
of which will discuss software security explicitly.  The first is a CSO Panel 
featuring Gary Warzala (Visa), Jason Witty (US Bank), Eric Grosse (Google), and 
Howard Schmidt (retired US Gov).  One of the six key questions we will address 
during the panel is what a CSO can and should do about software security, 
security engineering and building things properly.  That panel is Wednesday 
2.27 at 1pm.

The second appearance is even more relevant to software security.  I will give 
my "Bug Parades, Zombies, and the BSIMM" talk Thursday 2.28 at 10:40am.  I plan 
to discuss the ancient history of software security and accelerate to now.

I hope you will come see what we've got cooking!  If you do come to the talks, 
make sure to come say hello.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Chinese Hacking, Mandiant and Cyber War

2013-02-20 Thread Gary McGraw

hi sc-l,

No doubt all of you have seen the NY Times article about the Mandiant report 
that pervades the news this week.  I believe it is important to understand the 
difference between cyber espionage and cyber war.  Because espionage unfolds 
over months or years in realtime, we can triangulate the origin of an 
exfiltration attack with some certainty.  During the fog of a real cyber war 
attack, which is more likely to happen in milliseconds,  the kind of forensic 
work that Mandiant did would not be possible.  (In fact, we might just well be 
"Gandalfed" and pin the attack on the wrong enemy as explained here: 
http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.)

Sadly, policymakers seem to think we have completely solved the attribution 
problem.  We have not.  This article published in Computerworld does an 
adequate job of stating my position: 
http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9

Those of us who work on security engineering and software security can help 
educate policymakers and others so that we don't end up pursuing the folly of 
active defense.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] "Active Defense" is Irresponsible

2013-02-13 Thread Gary McGraw

hi sc-l,

This morning, NPR did a story 
<http://www.npr.org/2013/02/13/171843046/victims-of-cyberattacks-now-going-on-offense-against-intruders>
 about the idea of "Active Defense" which basically boils down to attacking the 
people who (may have) attacked you.  (Key question: who is it that REALLY 
attacked you and how do you know that?)  At Cigital, we believe this is a 
recipe for disaster.  The last thing we need in computer security is a bunch of 
vigilante yoo-hoos and lynch mobs.  Rule of law anyone?

I talked all about this in my SearchSecurity column in November: Proactive 
defense prudent alternative to 
cyberwarfare<http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare>
 (November 1, 2012)

In fact, I have been a vocal opponent to the Cyber War drum beating that seems 
to pervade Washington.  Here's what I had to say to Threatpost about the issue 
(warning: poor sound quality): 
http://threatpost.com/en_us/blogs/gary-mcgraw-cyberwar-and-folly-hoarding-cyber-rocks-111312

I have also been voicing these thoughts at think tanks like CNAS and in 
academic venues.  Here are three pointers to recent talks: 
http://www.ists.dartmouth.edu/events/abstract-mcgraw.html
http://www.kcl.ac.uk/sspp/departments/warstudies/newsevents/eventsrecords/mcgraw.aspx
http://www.eecs.umich.edu/eecs/etc/events/showevent.cgi?2626

FWIW, I am going to be on a panel about this at a private event during RSA with 
the founders of CrowdStrike on the opposing side.   Should be interesting.  
Given their dunderheaded philosophy, maybe I should bring a security detail 
along.

If you feel as strongly as we do about this issue, please send this to your 
Representatives.  They need to read it:
Separating the Threat from the Hype: What Washington Needs to Know About Cyber 
Security<http://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf> in 
AMERICA'S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES 
I AND 
II<http://www.cnas.rsvp1.com/node/6405?mgh=http%3A%2F%2Fwww.cnas.org&mgf=1>, 
Center for a New Amercian Security (June 2011).

What's the alternative to throwing rocks?  Making sure our houses are not glass 
by building security in.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 79: Per-Olof Persson (Sony Mobile) transcript posted

2013-01-23 Thread Gary McGraw

hi sc-l,

We just posted the transcript for episode 79 of the Silver Bullet Podcast 
featuring Per-Olof Persson of Sony Mobile:
http://www.cigital.com/silverbullet-files/shows/silverbullet-079-ppersson.pdf

The transcript will appear in IEEE Security & Privacy magazine soon.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 82: Kevin Fu

2013-01-18 Thread Gary McGraw

hi sc-l,

Kevin Fu is an interesting guy.  An MIT Ph.D., Kevin did a post doc with Avi 
Rubin at Johns Hopkins and then moved on to be a professor at UMass.  As of 
January, he moved his lab to University of Michigan. Among other interests, 
Kevin is an expert in embedded medical device security.  But unlike the FUD 
spreaders and hackerboyz, Kevin is actually doing something about it from an 
engineering perspective.  Whoa…a "fix" person just like we do at Cigital.

http://www.cigital.com/silver-bullet/show-082/

I hope you enjoy this podcast.  Please share it with others and feel free to 
send feedback directly to me.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

P.S. Over holiday break I was in the music studio recording a new CD.  Have a 
listen to that too if you want: http://thebitterliberals.com/music/

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] SearchSecurity: 13 Design Principles for 2013

2013-01-17 Thread Gary McGraw

Excellent idea Gunnar!  This is the kind of conceptual comparison that we don't 
do enough of.

gem

From: Gunnar Peterson mailto:gun...@arctecgroup.net>>
Reply-To: Gunnar Peterson 
mailto:gun...@arctecgroup.net>>
Date: Thursday, January 17, 2013 6:39 PM
To: gem mailto:g...@cigital.com>>, Secure Code Mailing List 
mailto:SC-L@securecoding.org>>
Cc: "epar...@techtarget.com<mailto:epar...@techtarget.com>" 
mailto:epar...@techtarget.com>>
Subject: RE: [SC-L] SearchSecurity: 13 Design Principles for 2013

Good piece. Saltzer and Schroeder's work is the deus ex machina in so much of 
security. On the software side, esp in the case of Twitter, Facebook et al, the 
equivalent is David Gelernter.

I did a mashup of these titans and I must say I think there is a fair(and 
increasing) amount of impedance mismatch. Meaning many of S& S's fundamental 
assumptions do not apply in Gelernter's universe. For example how do I 
completely mediate in a federation? Answer: you dont you have partial control 
at best.

http://1raindrop.typepad.com/1_raindrop/2008/06/mashup-of-the-titans.html

Gunnar

Sent from my mobile

 Original message 
From: Gary McGraw mailto:g...@cigital.com>>
Date:
To: Secure Code Mailing List 
mailto:SC-L@securecoding.org>>
Cc: "Parizo, Eric" mailto:epar...@techtarget.com>>
Subject: [SC-L] SearchSecurity: 13 Design Principles for 2013

hi sc-l,

Merry new year to you all.

About the hardest part of software security is design.  Everything about it is 
hard: secure design, threat modeling, architectural risk analysis, etc.  Even 
convincing slow pokes that there is a difference between bugs and flaws is hard 
(you should see the "reviews" my talk got from the "expert" RSA program 
committee this year…hah!).  For many years I have struggled with how to teach 
people ARA and security design.  The only technique that really works is 
apprenticeship.  Short of that, a deep understanding of security design 
principles can help.

in 1975 Salzer and Schroeder wrote one of the most important papers in computer 
security.  In it, they introduced the concept of security principles.  I riffed 
on that this month in my SearchSecurity column.  Please read it and pass it on. 
 Give a copy to all of the software architects you know.

http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) 
SC-L@securecoding.org<mailto:SC-L@securecoding.org>
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SearchSecurity: 13 Design Principles for 2013

2013-01-17 Thread Gary McGraw

hi sc-l,

Merry new year to you all.

About the hardest part of software security is design. Everything about it is
hard: secure design, threat modeling, architectural risk analysis, etc. Even
convincing slow pokes that there is a difference between bugs and flaws is hard
(you should see the "reviews" my talk got from the "expert" RSA program
committee this year…hah!). For many years I have struggled with how to teach
people ARA and security design. The only technique that really works is
apprenticeship. Short of that, a deep understanding of security design
principles can help.

in 1975 Salzer and Schroeder wrote one of the most important papers in computer
security. In it, they introduced the concept of security principles. I riffed
on that this month in my SearchSecurity column. Please read it and pass it on.
Give a copy to all of the software architects you know.

http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

[SC-L] Silver Bullet 81: Steve Bellovin

2013-01-03 Thread Gary McGraw

hi sc-l,

Merry New Year to you all!  Here's to more secure software in 2013.

The latest Silver Bullet episode, number 81, went live today, featuring 
security grey beard Steve Bellovin.  Steve's long and storied career spans the 
invention of Usenet in grad school, through Bell Labs, to Columbia University, 
all the way to serving as the CTO of the Federal Trade Commission.  Throughout 
his storied career in security, Steve has always held fast for software 
security.  He's continuing that leadership at the FTC.  Yo go Steve!

http://www.cigital.com/silver-bullet/show-081/

As always, your commentary is welcome.  Pass it on.

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SearchSecurity: Twelve Most Common BSIMM Activities

2012-12-09 Thread Gary McGraw

hi sc-l,

Greetings from NOLA where I am sailing this weekend.

Ever wonder what the twelve most common software security activities are?  
Because of the BSIMM data, we actually know.  Have a look for yourself:
http://searchsecurity.techtarget.com/news/2240174114/Twelve-common-software-security-activities-to-lift-your-program

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.cigital.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet: Thomas Rid

2012-12-05 Thread Gary McGraw

hi sc-l,

Earlier this month, I had the pleasure of visiting Thomas Rid and giving a talk 
on cyber war at King's College London.  Thomas and I had a great discussion 
after the talk, and I asked him to do a silver bullet episode.

http://www.cigital.com/silver-bullet/show-080/

Episode 80 is a bit off the beaten track for silver bullet, but really 
interesting.  Lots of discussion about policy makers, war studies, and the way 
foreign policy and deterrence works.  I think you'll like it.  If you found my 
SearchSecurity piece on cyber war interesting this month, you will for sure.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Cyber War and Software Security

2012-11-02 Thread Gary McGraw

hi sc-l,

I find it particularly disturbing that offensive cyber war is garnering a 
majority of the attention of the media while security engineering is basically 
ignored.  I am trying to do my part to inject some talk of software security 
into the mix.  I would love your help.

SearchSecurity just published an article I wrote about cyber war and prudent 
defense (as opposed to "active defense" which is really offense).  If all of 
this sounds confusing, have a read and see what you think:
http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare

I'll be giving a talk on this topic in London on 11/14.  If you are a reader 
form the UK and would like information on that talk, pop me an email.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 79: Per-Olof Persson

2012-10-26 Thread Gary McGraw

hi sc-l,

Episode 79 of Silver Bullet features a conversation with Per-Olof Persson, a 
European leader in software security and Global Head of Software Security for 
Sony Mobile.  If you ever wonder what a Board of Directors thinks about 
software security, this episode will help you understand that.  Lots of talk 
about Agile, Android, and business concerns related to software security and 
international global business.

Per-Olof is a very interesting fellow.  Have a listen and pass it on!
http://www.cigital.com/silver-bullet/show-079/

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Ten Commandments for Software Security

2012-10-06 Thread Gary McGraw

hi sc-l,

You all know by now that the BSIMM is a descriptive model and not a
prescriptive one. But at Cigital we're happy to give prescriptive advice about
software security based on our experience as well. Without further ado, the
ten commandments for software security:

0. Thou shalt lead thy software security initiative (SSI) with a software
security group (SSG).
1. Thou shalt rely on risk management and objective measurement using the
BSIMM—not “top ten lists” and vulnerability counts—to define SSI success.
2. Thou shalt communicate with executives, directly linking SSI success to
business value and comparing thy firm against its peers.
3. Thou shalt create and adopt an SSDL methodology like the Microsoft SDL or
the Cigital Touchpoints that integrates security controls (including
architecture risk analysis, code review, and penetration testing) and people
smarter about software security than the tools they run.
4. Thou shalt not limit software security activity to only technical SDLC
activities and especially not to penetration testing alone.
5. Thou shalt grow and nurture software security professionals for thy SSG
(since there are not enough qualified people to go around).
6. Thou shalt consume direction from the business and intelligence from
operations and incident response staff, and adjust SSI controls accordingly.
7. Thou shalt track thy data carefully and know where the data live regardless
of how cloudy thy architecture gets.
8. Thou shalt not rely solely on security features and functions to build
secure software as security is an emergent property of the entire system and
thus relies on building and integrating all parts properly.
9. Thou shalt fix thy identified software defects: both bugs and flaws.

Read more in this month's [in]security column on SearchSecurity:
http://searchsecurity.techtarget.com/news/2240164512/Ten-commandments-for-software-security

We welcome your reaction.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

Re: [SC-L] BSIMM4 Released Today

2012-09-27 Thread Gary McGraw

hi sc-l,

Once every blue moon, software security makes it into the major press.  BSIMM4 
did it today.

http://blogs.wsj.com/cio/2012/09/26/bank-cyberattacks-underscore-need-for-security-processes/

I think it's great when the major players get past the "train wreck" mentality 
that seems to pervade security coverage.

gem

p.s. This Dennis Fisher podcast is worth a listen too:
https://threatpost.com/en_us/blogs/gary-mcgraw-bsimm4-and-how-avoid-being-slowest-zebra-092612

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

From: gem mailto:g...@cigital.com>>
Date: Tuesday, September 18, 2012 9:56 AM
To: Secure Code Mailing List 
mailto:SC-L@securecoding.org>>
Cc: Sammy Migues mailto:smig...@cigital.com>>, Jacob West 
mailto:j...@hp.com>>
Subject: BSIMM4 Released Today

hi sc-l,

Today we released BSIMM4, the fourth edition of the BSIMM model built directly 
from data observed in 51 firms.  If you ever wonder what software assurance 
looks like in commercial practice (and how to measure it), the BSIMM sheds 
plenty of light on current practice.

Download a copy today (for free under the Creative Commons) at 
http://bsimm.com<http://bsimm.com/>

BSIMM4 provides insight into fifty-one of the most successful software security 
initiatives in the world and describes how these initiatives evolve, change, 
and improve over time. The multi-year study is based on in-depth measurement of 
leading enterprises including Adobe, Aon, Bank of America, Box, Capital One, 
The Depository Trust & Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae, 
Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Mashery, McKesson, 
Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, 
Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec, 
Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and Zynga.

Some numerical highlights of BSIMM4:
• BSIMM4 includes 51 firms from 12 industry verticals
• BSIMM4 has grown 20% since BSIMM3 and is ten times bigger than the original 
2009 edition
• The BSIMM4 data set has 95 distinct measurements (some firms measured 
multiple times, some firms with multiple divisions measured separately and 
rolled into one firm score)
• BSIMM4 continues to show that leading firms on average employ two full time 
software security specialists for every 100 developers
• BSIMM4 describes the work of 974 software security professionals working with 
a development-based satellite of 2039 people to secure the software developed 
by 218,286 developers

Of particular interest to readers of sc-l, for the first time in the BSIMM 
project, new activities were observed in addition to the original 109, 
resulting in the addition of two new activities to the model going forward. The 
activities are: Simulate software crisis and Automate malicious code detection.

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] BSIMM4 Released Today

2012-09-18 Thread Gary McGraw

hi sc-l,

Today we released BSIMM4, the fourth edition of the BSIMM model built directly 
from data observed in 51 firms.  If you ever wonder what software assurance 
looks like in commercial practice (and how to measure it), the BSIMM sheds 
plenty of light on current practice.

Download a copy today (for free under the Creative Commons) at 
http://bsimm.com

BSIMM4 provides insight into fifty-one of the most successful software security 
initiatives in the world and describes how these initiatives evolve, change, 
and improve over time. The multi-year study is based on in-depth measurement of 
leading enterprises including Adobe, Aon, Bank of America, Box, Capital One, 
The Depository Trust & Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae, 
Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Mashery, McKesson, 
Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, 
Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec, 
Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and Zynga.

Some numerical highlights of BSIMM4:
• BSIMM4 includes 51 firms from 12 industry verticals
• BSIMM4 has grown 20% since BSIMM3 and is ten times bigger than the original 
2009 edition
• The BSIMM4 data set has 95 distinct measurements (some firms measured 
multiple times, some firms with multiple divisions measured separately and 
rolled into one firm score)
• BSIMM4 continues to show that leading firms on average employ two full time 
software security specialists for every 100 developers
• BSIMM4 describes the work of 974 software security professionals working with 
a development-based satellite of 2039 people to secure the software developed 
by 218,286 developers

Of particular interest to readers of sc-l, for the first time in the BSIMM 
project, new activities were observed in addition to the original 109, 
resulting in the addition of two new activities to the model going forward. The 
activities are: Simulate software crisis and Automate malicious code detection.

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 77: Gary Warzala of Visa

2012-08-28 Thread Gary McGraw

hi sc-l,

Greetings from Buenos Aires where I am pushing the software security agenda in 
South America this week in a series of four talks.

Silver Bullet's 77th episode features Gary Warzala, CISO of Visa.  Our 
discussion mirrors some of what we talked about during our fireside chat in 
Bloomington, Indiana when we opened the new Cigital office there in May.  Ever 
wonder what a CISO does all day or what they think about?  Tune in and find out.

http://www.cigital.com/silver-bullet/show-077/

For the purposes of this list, Visa is serious about software security, which 
we discuss during the podcast.

As always, your feedback is welcome.  Thanks as always to Ryan MacMichael for 
his behind the scenes work on Silver Bullet.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] SearchSecurity: Cyber Security and the Law

2012-08-08 Thread Gary McGraw

hi greg,

Good question.  I'm biased of course, but I think a BSIMM type measurement
is the best way to approach this.  (See http://bsimm.com.)  However,
regardless of measurement I strongly believe that incentives are way
better than regulations and penalties.

Because the Senate bill was blocked yesterday by a Republican filibuster
<http://www.nytimes.com/2012/08/03/us/politics/cybersecurity-bill-blocked-b
y-gop-filibuster.html> we may have a chance to revisit some of these ideas
next session!

On the BSIMM front, we now have 51 firms measured and will be compiling
BSIMM4 next week for release in the Fall.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

On 8/2/12 3:13 PM, "Greg Beeley"  wrote:

>How would we recognize good engineering?
>
>It seems to me like the very same problem faced by the idea of software
>liability law - that it is hard to define good engineering for software
>security - would be faced by an incentive program.  If "good
>engineering" is fuzzy enough to give a big corporate legal dept the
>upper hand against an individual, wouldn't it be similarly fuzzy enough
>to counter the fairness of a tax incentive?
>
>Tax breaks are a big deal - I doubt the government is going to want to
>issue tax breaks to a company because the company claims they have
>achieved level X in a CMM -- think about the economic cost in
>demonstrating something like that to the point where it is fair and
>worth something.  I also doubt that a metric based on vulnerability
>counts will work -- that will just encourage companies to hide
>vulnerabilities, fixing them silently and/or with great delay, instead
>of disclosing them.
>
>Not that I think that incentives inherently wouldn't work -- rather I'd
>be interested in seeing some discussion here on some of the above issues.
>
>One alternative that has worked well in many other areas of
>manufacturing -- encourage some kind of limited warranty, at least in
>certain industries.  For consumer mobile devices, it might be something
>as simple as, "if your device's security is ever compromised due to a
>flaw in the bundled device software, we'll repair it free of charge".
>The big challenges are 1) getting customers to care about their device's
>security, and 2) making a vendor's commitment to security recognizable
>by the customer.  By no means ideal, but at least a talking point.
>
>- Greg
>
>Gary McGraw wrote, On 08/02/2012 08:40 AM:
>> Hi Jeff,
>> 
>> I'm afraid I disagree.  The hyperbolic way to state this is, imagine
>>YOUR
>> lawyer faced down by Microsoft's army of lawyers. You lose.
>> 
>> Software liability is not the way to go in my opinion.  Instead, I would
>> like to see the government develop incentives for good engineering.
>> 
>> gem
>> 
>> On 8/2/12 10:26 AM, "Jeffrey Walton"  wrote:
>> 
>>> Hi Dr. McGraw,
>>>
>>>> Cyber Intelligence Sharing and Protection Act (CISPA) passed by
>>>> there House in April) has very little to say about building security
>>>>in.
>>> I'm convinced (in the US) that users/consumers need a comprehensive
>>> set of software liability laws. Consider the number of mobile devices
>>> that are vulnerable because OEMs stopped providing (or never provided)
>>> patches for vulnerabilities. The equation [risk analysis] needs to be
>>> unbalanced just a bit to get manufacturers to act (do nothing is cost
>>> effective at the moment).
>>>
>>> Jeff
>>>
>>> On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw  wrote:
>>>> hi sc-l,
>>>>
>>>> This month's [in]security article takes on Cyber Law as its topic.
>>>>The
>>>> US Congress has been debating a cyber security bill this session and
>>>>is
>>>> close to passing something.  Sadly, the Cybersecurity and Internet
>>>> Freedom Act currently being considered in the Senate (as an answer to
>>>> the problematic  Cyber Intelligence Sharing and Protection Act (CISPA)
>>>> passed by there House in April) has very little to say about building
>>>> security in.
>>>>
>>>> Though cyber law has always lagged technical reality by several years,
>>>> ignoring the notion of building security in is a fundamental flaw.
>>>>
>>>>
>>>> 
>>>>http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-
>>>>bu
>>>> g-fixes-reward-secure-systems
>>>>
>>>> P

Re: [SC-L] SearchSecurity: Cyber Security and the Law

2012-08-02 Thread Gary McGraw

Hi Jeff,

I'm afraid I disagree.  The hyperbolic way to state this is, imagine YOUR
lawyer faced down by Microsoft's army of lawyers. You lose.

Software liability is not the way to go in my opinion.  Instead, I would
like to see the government develop incentives for good engineering.

gem

On 8/2/12 10:26 AM, "Jeffrey Walton"  wrote:

>Hi Dr. McGraw,
>
>> Cyber Intelligence Sharing and Protection Act (CISPA) passed by
>> there House in April) has very little to say about building security in.
>I'm convinced (in the US) that users/consumers need a comprehensive
>set of software liability laws. Consider the number of mobile devices
>that are vulnerable because OEMs stopped providing (or never provided)
>patches for vulnerabilities. The equation [risk analysis] needs to be
>unbalanced just a bit to get manufacturers to act (do nothing is cost
>effective at the moment).
>
>Jeff
>
>On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw  wrote:
>> hi sc-l,
>>
>> This month's [in]security article takes on Cyber Law as its topic.  The
>>US Congress has been debating a cyber security bill this session and is
>>close to passing something.  Sadly, the Cybersecurity and Internet
>>Freedom Act currently being considered in the Senate (as an answer to
>>the problematic  Cyber Intelligence Sharing and Protection Act (CISPA)
>>passed by there House in April) has very little to say about building
>>security in.
>>
>> Though cyber law has always lagged technical reality by several years,
>>ignoring the notion of building security in is a fundamental flaw.
>>
>> 
>>http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bu
>>g-fixes-reward-secure-systems
>>
>> Please read this month's article and pass it on far and wide.  Send a
>>copy to your representatives in all branches of government.  It is high
>>time for the government to tune in to cyber security properly.
>>

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SearchSecurity: Cyber Security and the Law

2012-08-02 Thread Gary McGraw

hi sc-l,

This month's [in]security article takes on Cyber Law as its topic.  The US 
Congress has been debating a cyber security bill this session and is close to 
passing something.  Sadly, the Cybersecurity and Internet Freedom Act currently 
being considered in the Senate (as an answer to the problematic  Cyber 
Intelligence Sharing and Protection Act (CISPA) passed by there House in April) 
has very little to say about building security in.

Though cyber law has always lagged technical reality by several years, ignoring 
the notion of building security in is a fundamental flaw.

http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems

Please read this month's article and pass it on far and wide.  Send a copy to 
your representatives in all branches of government.  It is high time for the 
government to tune in to cyber security properly.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Silver Bullet 76: David Evans

2012-07-30 Thread Gary McGraw

Oops!  forgot to include the URL.  Here it is:

http://www.cigital.com/silver-bullet/show-076/

gem

From: gem mailto:g...@cigital.com>>
Date: Friday, July 27, 2012 2:27 PM
To: Secure Code Mailing List 
mailto:SC-L@securecoding.org>>
Cc: David Evans mailto:ev...@cs.virginia.edu>>
Subject: Silver Bullet 76: David Evans

hi sc-l,

The 76th episode of Silver Bullet features a chat with Dave Evans, a professor 
at UVa and a well-respected security researcher.  David and I discuss (among 
other things) the founding of the Interdisciplinary Major in Computer Science 
(BA) at Uva and why a broad approach to Computer Science and Computer Security 
is a good idea, why data privacy gets short shrift in the United States, why 
people think (for no apparent reason) that their mobile devices are
secure, groceries, David's research on Secure Computation, and the Udacity 
project.  We close out the discussion with a story about David's trip to the
World Cup in Korea and a choice between GEB and scheme.

As always your feedback on the podcast is welcome.  I'm also actively seeking 
female interviewees for the podcast, so if you have any suggestions for future 
interviews, do tell!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 76: David Evans

2012-07-30 Thread Gary McGraw

hi sc-l,

The 76th episode of Silver Bullet features a chat with Dave Evans, a professor 
at UVa and a well-respected security researcher.  David and I discuss (among 
other things) the founding of the Interdisciplinary Major in Computer Science 
(BA) at Uva and why a broad approach to Computer Science and Computer Security 
is a good idea, why data privacy gets short shrift in the United States, why 
people think (for no apparent reason) that their mobile devices are
secure, groceries, David's research on Secure Computation, and the Udacity 
project.  We close out the discussion with a story about David's trip to the
World Cup in Korea and a choice between GEB and scheme.

As always your feedback on the podcast is welcome.  I'm also actively seeking 
female interviewees for the podcast, so if you have any suggestions for future 
interviews, do tell!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] SearchSecurity: Mobile Security = Software Security

2012-07-15 Thread Gary McGraw

hi martin,

Great to see you in Athens this week.  Sorry about the registration thing.
 As an author, I get very little say in the matter.  I hope you registered
as Mickey Mouse or Bill Gates.

gem

On 7/15/12 2:50 PM, "Martin Gilje Jaatun"  wrote:

>Hi Gary,
>
>I agree with everything you write in the article (although I was a bit
>peeved at having to register to read it...). It ties nicely in with a
>related topic that is being discussed a lot recently: "The danger of QR
>codes", where people argue that you shouldn't scan QR codes with your
>smartphone, since you don't know where they take you, and you might get
>infected with something (as allegedly carried out by "Th3 J35t3r" a few
>months back). Again, this is discussing the wrong problem - why are we
>accepting to use smartphone browsers that fall over at the merest whiff
>of an attack?
>
>-Martin
>
>On 07/06/2012 02:29 PM, Gary McGraw wrote:
>> hi sc-l,
>>
>> In April, my monthly [in]security column moved over to SearchSecurity
>>(TechTarget).  This month's installation appears in Information Security
>>magazine as well as on the usual websites.
>>
>> Because of all of the great work Cigital has done in mobile security,
>>there was plenty of fodder to draw from for a pithy article on mobile
>>security.  Take home message?  Build security in!  Every software
>>security Touchpoint is relevant and useful when it comes to mobile
>>security.
>>
>> Have a read, and pass it on.  Pile on the hits:
>> 
>>http://searchsecurity.techtarget.com/magazineContent/Gary-McGraw-on-mobil
>>e-security-Its-all-about-mobile-software-security
>>
>> Your feedback is always welcome.
>>
>> gem
>>
>> company www.cigital.com
>> podcast www.cigital.com/silverbullet
>> blog www.cigital.com/justiaceleague
>> book www.swsec.com
>>
>> ___
>> Secure Coding mailing list (SC-L) SC-L@securecoding.org
>> List information, subscriptions, etc -
>>http://krvw.com/mailman/listinfo/sc-l
>> List charter available at - http://www.securecoding.org/list/charter.php
>> SC-L is hosted and moderated by KRvW Associates, LLC
>>(http://www.KRvW.com)
>> as a free, non-commercial service to the software security community.
>> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
>> ___
>>
>
>
>___
>Secure Coding mailing list (SC-L) SC-L@securecoding.org
>List information, subscriptions, etc -
>http://krvw.com/mailman/listinfo/sc-l
>List charter available at - http://www.securecoding.org/list/charter.php
>SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
>as a free, non-commercial service to the software security community.
>Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
>___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SearchSecurity: Mobile Security = Software Security

2012-07-09 Thread Gary McGraw

hi sc-l,

In April, my monthly [in]security column moved over to SearchSecurity 
(TechTarget).  This month's installation appears in Information Security 
magazine as well as on the usual websites.

Because of all of the great work Cigital has done in mobile security, there was 
plenty of fodder to draw from for a pithy article on mobile security.  Take 
home message?  Build security in!  Every software security Touchpoint is 
relevant and useful when it comes to mobile security.

Have a read, and pass it on.  Pile on the hits:
http://searchsecurity.techtarget.com/magazineContent/Gary-McGraw-on-mobile-security-Its-all-about-mobile-software-security

Your feedback is always welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiaceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Silver Bullet 74: Bruce Schneier

2012-05-31 Thread Gary McGraw

hi sc-l,

There are exactly two security gurus we have covered twice in Silver Bullet: 
Ross Anderson (who holds the all time record for hits) and Bruce Schneier.  
Both are very interesting thinkers and thought leaders in computer security.

Episode 74 is the second Silver Bullet conversation with Bruce.  We talked 
mostly about his new book Liars and Outliers, but the conversation ranged 
widely from economics to mixology.  I think you'll enjoy it:

http://www.cigital.com/silver-bullet/show-074/

As always, your feedback is welcome and encouraged.   Please pass this episode 
on to your friends and colleagues.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Flame provides an opportunity

2012-05-31 Thread Gary McGraw

hi sc-l,

Whenever a computer security disaster story breaks (pretty much the only kind 
of coverage cyber security can expect in the major press) we have an 
opportunity (while people are paying attention) to talk about how to avoid 
future disasters.  If we're lucky, we can leverage "the NASCAR effect" 
<http://www.darkreading.com/security/application-security/208803559/if-you-build-it-they-ll-crash-it.html>
 to discuss software security.

In my view, the only way we can get in front of modern malware is by building 
security in.  I wrote about that for SearchSecurity in May: Eliminating badware 
addresses malware problem 
<http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem>
 (May 2012).

Some of the Flame dustup in the press this week riffed on that idea and even 
mentioned the BSIMM (in the WSJ CIO Journal):
http://blogs.wsj.com/cio/2012/05/29/cios-should-see-flame-as-a-call-to-arms/?KEYWORDS=hickins

Also check out a related radio segment from Marketplace (aired on NPR):
http://www.marketplace.org/topics/tech/flame-malware-burns-through-cyberspace

It actually works to use the NASCAR effect to get our message out!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

1 2 3 4 5 6 >

1 - 100 of 537 matches

Mail list logo