Company Blog
Moving Cybersecurity Past Cyberplatitudes
John Pescatore from Gartner convened a virtual panel on the cybersecurity issue at the 2009 Gartner Information Security Summit. I provided a video for the panel answering two questions that John posed. The two questions get to the heart of the cybersecurity issue: Question 1: What should the US government do to drive real improvements [...]
New Security Reads
IEEE S&P: Securing Online Games (vol.7, no.3) IEEE Security & Privacy magazine remains the most important trade periodical on security published today. Though the content is on rare occasion esoteric, the magazine is always technically accurate and detailed. Only a peer reviewed publication can offer readers a look at computer security as a science. Think [...]
Twitter Security
I just published a little ditty on Twitter security that is bound to get some interesting feedback. My bet is that much of the feedback is less than 140 characters long! My friend Joe Faber (of Spaghettios fame) sent me this Youtube video, which I think sums up Twitter nicely: Your longer feedback is welcome [...]
Software Security 2008
For the past three years, I have collected and published revenue numbers from tools and services in the software security space. Here are pointers to the three resulting articles, including this year’s NEW article (for 2008): informIT (2008): Software Security Comes of Age: Space approaches $500M threshold informIT (2007): Software Security Demand Rising Darkreading (2006): [...]
Reality Check: Jim Routh
Yesterday we released the second episode of the Reality Check Podcast. This month’s victim is Jim Routh, CISO of Depository Trust Clearing Corporation (DTCC). DTCC has a very advanced software security initiative that is well worth learning about. We talk about that in this interview. Have a listen! I’m also pleased to announce that CSO [...]
OWASP Podcast Features Gary McGraw
OWASP just posted an interview with me as part of their budding podcast series. It’s nice to have the tables turned after doing all the Silver Bullet (and Reality Check) interviews! It’s also nice to be able to answer some of the questions that OWASP types have about Cigital’s approach to software security. Download the [...]
Top Eleven Reasons Why Top 10 (or Top 25) Lists Don’t Work
On January 12th, the CWE/SANS Top 25 Most Dangerous Programming Errors list was released. Sean Barnum (a Principal Consultant) participated in the creation of the list, and I did some off the record review myself (not for attribution). There are some important good things about top ten lists that are worthy of mention. The notion [...]
New podcast: Reality Check
I’m happy to announce the launch of my new podcast, the Reality Check Security Podcast with Gary McGraw: The Reality Check Podcast with Gary McGraw focuses directly on software security practitioners and practical software security. Reality Check’s sister podcast, the Silver Bullet Security Podcast with Gary McGraw, follows a free form interview style tailored highlight [...]
Science-y fun with the Maturity Model Project
Brian Chess, Sammy Migues and I have been building a maturity model for software security. We decided to base our model on data gathered by interviewing 9 top software security programs. We developed a framework to guide a series of interviews for data acquisition. Though we have not completed the maturity model (analysis continues apace), [...]
New book: Web Security Testing Cookbook
Two of Cigital’s thought leaders, Paco Hope and Ben Walther, just published a new book from O’Reilly called the Web Security Testing Cookbook. I wrote the foreword for the book which is reprinted below. More information about the book can also be found on Facebook. Web applications suffer more than their share of security attacks. [...]
