Justice League Blog
OWASP Podcast Features Gary McGraw
OWASP just posted an interview with me as part of their budding podcast series. It’s nice to have the tables turned after doing all the Silver Bullet (and Reality Check) interviews! It’s also nice to be able to answer some of the questions that OWASP types have about Cigital’s approach to software security. Download the [...]
Let the posturing begin…
Myself and others have been getting Webinar invites from IBM’s developerworks regarding Rational’s AppScan Developer Edition. This is of course part of the re-launch of the re-tooled AppScan product. It now includes a set of analysis types, some static and some dynamic. They’ve got fancy new names for subsets of each, some hair splitting to [...]
Top Eleven Reasons Why Top 10 (or Top 25) Lists Don’t Work
On January 12th, the CWE/SANS Top 25 Most Dangerous Programming Errors list was released. Sean Barnum (a Principal Consultant) participated in the creation of the list, and I did some off the record review myself (not for attribution). There are some important good things about top ten lists that are worthy of mention. The notion [...]
New podcast: Reality Check
I’m happy to announce the launch of my new podcast, the Reality Check Security Podcast with Gary McGraw: The Reality Check Podcast with Gary McGraw focuses directly on software security practitioners and practical software security. Reality Check’s sister podcast, the Silver Bullet Security Podcast with Gary McGraw, follows a free form interview style tailored highlight [...]
Not so Surprising [2,10]
In the last entry, I responded to dashboard initiatives and organizations’ attempt to measure. Examples focused on vulnerability-detection because a lot of software security expenditure has as well. Some practitioners, as well as software security managers, have realized that a focusing only on uncovering the problem won’t get it fixed. They’ve begun to document secure [...]
Not so Surprising [1,10]
Like Ken and Brian I’m pleased that results from this study are getting out there. I recently participated in the OWASP EU Summit, where Pravir and I conducted a session on the maturity model. The session had valuable industry participation. One of the things I’ve harped on for years now is that experts need to [...]
Structuring for Strategic Cyber Defense: State of the Nation and What We Can Do
I’ve been an organizer of ACSAC in one capacity or another for close to 20 years now, and I’ve managed to attend most years. The conference always meets in early December in a southern US city (2008 in Anaheim, 2009 in Honolulu). This year’s keynote speakers were Sami Saydjari (formerly of NSA and DARPA, and [...]
Science-y fun with the Maturity Model Project
Brian Chess, Sammy Migues and I have been building a maturity model for software security. We decided to base our model on data gathered by interviewing 9 top software security programs. We developed a framework to guide a series of interviews for data acquisition. Though we have not completed the maturity model (analysis continues apace), [...]
New book: Web Security Testing Cookbook
Two of Cigital’s thought leaders, Paco Hope and Ben Walther, just published a new book from O’Reilly called the Web Security Testing Cookbook. I wrote the foreword for the book which is reprinted below. More information about the book can also be found on Facebook. Web applications suffer more than their share of security attacks. [...]
The Three Pillars of Continuous Integration
This is a guest post from Meera Subbarao, a senior consultant at Cigital. Continuous Integration commonly known as CI is a process that consists of continuously compiling, testing, inspecting, and deploying source code. In any typical CI environment, this means running a new build every time code changes within a version control repository. Martin Fowler [...]
