Company Blog
OWASP Podcast Features Gary McGraw
OWASP just posted an interview with me as part of their budding podcast series. It’s nice to have the tables turned after doing all the Silver Bullet (and Reality Check) interviews! It’s also nice to be able to answer some of the questions that OWASP types have about Cigital’s approach to software security. Download the [...]
Let the posturing begin…
Myself and others have been getting Webinar invites from IBM’s developerworks regarding Rational’s AppScan Developer Edition. This is of course part of the re-launch of the re-tooled AppScan product. It now includes a set of analysis types, some static and some dynamic. They’ve got fancy new names for subsets of each, some hair splitting to [...]
Top Eleven Reasons Why Top 10 (or Top 25) Lists Don’t Work
On January 12th, the CWE/SANS Top 25 Most Dangerous Programming Errors list was released. Sean Barnum (a Principal Consultant) participated in the creation of the list, and I did some off the record review myself (not for attribution). There are some important good things about top ten lists that are worthy of mention. The notion [...]
New podcast: Reality Check
I’m happy to announce the launch of my new podcast, the Reality Check Security Podcast with Gary McGraw: The Reality Check Podcast with Gary McGraw focuses directly on software security practitioners and practical software security. Reality Check’s sister podcast, the Silver Bullet Security Podcast with Gary McGraw, follows a free form interview style tailored highlight [...]
Not so Surprising [2,10]
In the last entry, I responded to dashboard initiatives and organizations’ attempt to measure. Examples focused on vulnerability-detection because a lot of software security expenditure has as well. Some practitioners, as well as software security managers, have realized that a focusing only on uncovering the problem won’t get it fixed. They’ve begun to document secure [...]
