Company Blog
Software Security 2008
For the past three years, I have collected and published revenue numbers from tools and services in the software security space. Here are pointers to the three resulting articles, including this year’s NEW article (for 2008): informIT (2008): Software Security Comes of Age: Space approaches $500M threshold informIT (2007): Software Security Demand Rising Darkreading (2006): [...]
Reality Check: Jim Routh
Yesterday we released the second episode of the Reality Check Podcast. This month’s victim is Jim Routh, CISO of Depository Trust Clearing Corporation (DTCC). DTCC has a very advanced software security initiative that is well worth learning about. We talk about that in this interview. Have a listen! I’m also pleased to announce that CSO [...]
OWASP Podcast Features Gary McGraw
OWASP just posted an interview with me as part of their budding podcast series. It’s nice to have the tables turned after doing all the Silver Bullet (and Reality Check) interviews! It’s also nice to be able to answer some of the questions that OWASP types have about Cigital’s approach to software security. Download the [...]
Top Eleven Reasons Why Top 10 (or Top 25) Lists Don’t Work
On January 12th, the CWE/SANS Top 25 Most Dangerous Programming Errors list was released. Sean Barnum (a Principal Consultant) participated in the creation of the list, and I did some off the record review myself (not for attribution). There are some important good things about top ten lists that are worthy of mention. The notion [...]
New podcast: Reality Check
I’m happy to announce the launch of my new podcast, the Reality Check Security Podcast with Gary McGraw: The Reality Check Podcast with Gary McGraw focuses directly on software security practitioners and practical software security. Reality Check’s sister podcast, the Silver Bullet Security Podcast with Gary McGraw, follows a free form interview style tailored highlight [...]
Science-y fun with the Maturity Model Project
Brian Chess, Sammy Migues and I have been building a maturity model for software security. We decided to base our model on data gathered by interviewing 9 top software security programs. We developed a framework to guide a series of interviews for data acquisition. Though we have not completed the maturity model (analysis continues apace), [...]
New book: Web Security Testing Cookbook
Two of Cigital’s thought leaders, Paco Hope and Ben Walther, just published a new book from O’Reilly called the Web Security Testing Cookbook. I wrote the foreword for the book which is reprinted below. More information about the book can also be found on Facebook. Web applications suffer more than their share of security attacks. [...]
Web application security versus software security
I have been known to take the Web application security community to task for a myopic focus on Web and Web only. Being constrained by HTTP does serve to make things pretty easy! Lately, I have adjusted my thinking. Jeremiah Grossman and I cross paths out there on the evangelism circuit pretty often and have [...]
Software Security Framework
Brian Chess and I just published an article on the Software Security Framework displayed below. Governance Intelligence SDL Touchpoints Deployment Strategy and Metrics Attack Models Architecture Analysis Penetration Testing Compliance and Policy Security Features and Design Code Review Software Environment Training Standards and Requirements Security Testing Configuration Management and Vulnerability Management Our plan is to [...]
RSS Feed for McGraw’s Columns
As Justice League readers know, I have been writing a security column since October 2004. I started with Network Magazine, and stayed with CMP through the launch of darkreading.com. In April, I moved the column to informIT. All of the columns can be found here. Many of my columns end up being about issues in [...]
