Admin
Open Source and Software Maturity Models
I’m at the BSIMM3 Conference, in an open source breakout session. The context: you’re an organization with a reasonable application security program. The question, “How to apply that same process maturity to open source where no ‘throat to choke’ exists?” Your organization and its software-providing vendors may not be perfect but at least you can [...]
Suggestions for ESAPI 2.1 and Beyond
This year’s ESAPI Summit, organized by Chris Schmidt and other contributors, represented a marked improvement over previous conversations. A clear evolutionary path for the family of security toolkits lies ahead. In order to achieve broader adoption and greater effect in larger enterprises the project’s participants must focus not just on API-level design but also on [...]
When All You Have is a Hammer…
We’ve probably all experienced organizations that rely principally on a single assessment technique (whether it be static or dynamic, manual or tool-based). Unfortunately, this is all too common for security practices. When this topic came up recently with the question (paraphrased), “Are there numbers that demonstrate the value of a security program making use of [...]
Slapping Your Forehead Tomorrow
As usual @oneraindrop has written an interesting article on the cost of things entitled looking-backwards-from-the-future. In his post he discusses the need to consider the cost of things in terms of the opportunity lost by doing them: “Jim Rogers has a great practice on saving – when you think of buying something today, simply multiply [...]
Marching for “False Positives” or “Focusing on What to Fix”
‘A short but important one, while I hop a train. Static analysis proponents, myself especially, have taken up the flag of “visibility” and paraded chanting “Customize to reduce False Positives”; I apologize. This provides tremendous benefit but misleads. Discussing the topic with @Wh1t3Rabbit, it occurred to me: time to change perception. So, why talk about [...]
Reality Check: Jim Routh
Yesterday we released the second episode of the Reality Check Podcast. This month’s victim is Jim Routh, CISO of Depository Trust Clearing Corporation (DTCC). DTCC has a very advanced software security initiative that is well worth learning about. We talk about that in this interview. Have a listen! I’m also pleased to announce that CSO [...]
OWASP Podcast Features Gary McGraw
OWASP just posted an interview with me as part of their budding podcast series. It’s nice to have the tables turned after doing all the Silver Bullet (and Reality Check) interviews! It’s also nice to be able to answer some of the questions that OWASP types have about Cigital’s approach to software security. Download the [...]
New podcast: Reality Check
I’m happy to announce the launch of my new podcast, the Reality Check Security Podcast with Gary McGraw: The Reality Check Podcast with Gary McGraw focuses directly on software security practitioners and practical software security. Reality Check’s sister podcast, the Silver Bullet Security Podcast with Gary McGraw, follows a free form interview style tailored highlight [...]
Justice League’s Newest Blogger
Greetings! I’m Jeremy Epstein, the newest member of the Cigital blogging team. I’ve joined Cigital after nearly 9 years with Software AG (and webMethods, before it was acquired by Software AG), and will be focused on software security in the federal space. Software security is a passion of mine – I’ve been talking about it, [...]
Making a move
I have been writing a monthly column on computer security and software security since October 2004. In the beginning, the column appeared in Network magazine. Later, that magazine was eaten by IT Architect. Here’s a set of pointers to those early articles: Who Should Do Security? (October 2004) Application Security Testing Tools: Worth the Money? [...]
