About the Bloggers
Gary McGraw
Gary McGraw is the CTO of Cigital, Inc., a software security consulting firm with headquarters in the Washington, D.C. area and offices throughout the world. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Dasient, Fortify Software (acquired by HP), Invincea, and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT).
Scott Matsumoto
Scott Matsumoto is a Principal Consultant at Cigital bringing over 20 years of commercial software product development experience to the company. At Cigital, Scott is responsible for the security architecture practice within the company. He consults for many of Cigital’s clients on security architecture topics such as Cloud Computing Security, SOA Security, fine-grained entitlements systems and SOA Governance. His prior experience encompasses development of component-based middleware, performance management systems, graphical UIs, language compilers, database management systems and operating system kernels.
Scott is a founding member of the Cloud Security Alliance (CSA) and is actively involved in its Trusted Computing Initiative.
Sammy Migues
Sammy Migues is the Director of Knowledge Management and Training at Cigital. Sammy is an information security visionary with a proven record of entrepreneurial innovation, intellectual capital development, practical business solutions, and performance optimization. As a founding member of four security services organizations, Sammy was responsible for creating the practical knowledge leveraged for repeatability and growth. As an active creator and participant in activities ranging from early NSA “Rainbow Books,” NIST Common Criteria, and DoD DITSCAP initiatives to state-of-the-art compliance matrices and security risk models, he made critical observations on the evolving relationships between information security threat, vulnerability, risk, and business objectives. From this experience, he recently turned his attention to the knowledge management aspects of information security governance and compliance, providing direct guidance to Fortune 500 leaders on efficiently “building security in” to everyday business activities. He is actively taking his practical management, technical, and thought leadership experience and applying it to the emerging enterprise security risk management discipline in areas such as: governance, compliance, and internal control; quantitative and qualitative risk analysis and modeling; security architecture, testing, and evaluation; executive scorecard; training; and, applied research.
Jason Rouse
Jason has spent the last five years designing, implementing, and deploying state of the art wireless security solutions for mobile environments, spanning access control, application management, payment systems, and hybrid J2EE-and-mobile systems. His work has helped clients to identify the biggest risks in their mobile applications, for example after reviewing a mobile payment system which used SMS messages to alert the user to opportunities in the market, errors were found in the handset and back-end that could lead to denial of service on both the handsets and the back-end servers. The mobile environment’s mix of custom hardware, software, and architectures can make finding, verifying, and remediating these types of issues exceptionally difficult, showing the unique security threats present in mobile environments. As a trusted advisor, Jason has led standards efforts, chairing the FSTC Mobile Payment Security workgroup to identify and document technology-based opportunities for banks in the mobile arena. The project aims to define standards for technology and interoperability that give all mobile phone users a seamless, secure, and easy-to-use payment option for everyday banking.
John Steven
John Steven is the Senior Director, Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John’s keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.
