I have been writing a monthly column on computer security and software security since October 2004. In the beginning, the column appeared in Network magazine. Later, that magazine was eaten by IT Architect. Here’s a set of pointers to those early articles:

• Who Should Do Security? (October 2004)
• Application Security Testing Tools: Worth the Money? (November 2004)
• How Do Real Bad Guys Break Software? (December 2004)
• Innovative Rootkits: The Ultimate Weapon? (January 2005)
• Are We In a Computer Security Renaissance? (February 2005)
• Where Does Trust Come From? (March 2005)
• Is Your Mac Really More Secure? (April 2005)
• How Does Security Fit With Engineering? (May 2005)
• Are Cell Phones the Next Target? (June 2005)
• Is Penetration Testing a Good Idea? (July 2005)
• Is VoIP Secure Enough For Prime Time? (August 2005)
• Is Cisco Naked? (September 2005)
• How Bad Is Intrusion Detection? (October 2005)
• Is Security Really About Getting Nothing Done? (November 2005)
• When Does Security Cross the Line? (December 2005)
• Is Sony BMG Run By Malicious Hackers? (January 2006)
• Is Application Security Training Worth the Money? (February 2006)
• How Flawed Is Microsoft? (March 2006)

We all know what’s happening to magazines and newspapers, though, don’t we–they’re turning to bits. When CMP killed IT Architect magazine (along with most of the rest of their paper publications), they repurposed much of the content into websites. I started writing for darkreading.com from the very beginning. Here’s a set of pointers to the darkreading articles:

• Microsoft’s Missed Opportunity (May 3, 2006)
• New Terrorist Profile: Phone Users (June 13, 2006)
• If You Build It, They’ll Crash It (July 7, 2006)
• Google is Evil (August 4, 2006)
• Keep Your Laws Off My Security (September 7, 2006)
• Diebold Disses Democracy (October 9, 2006)
• Boarding-Pass Brouhaha (November 2, 2006)
• Foxy Vista Henhouse (December 11, 2006)
• Hurray for Hollywood!? (January 12, 2007)
• Security’s Symbiosis (February 27, 2007)
• Compliance As Kick-Starter (March 12, 2007)
• Want Turns to Need (April 20, 2007)
• Certifiable (May 9, 2007)
• JSON, Ajax & Web 2.0 (June 7, 2007)
• Consolidate This (July 12, 2007)
• The Ultimate Insider (August 14, 2007)
• Mobile Insecurity (September 14, 2007)
• Online Games & the Law (October 11, 2007)
• Beyond the PCI Band-Aid (December 10, 2007)
• Software Security Strategies (January 9, 2008)
• The Truth Behind Code Analysis (February 13, 2008)

Just recently, I decided to move my monthly column to informIT. The readership is much larger, and I like the affiliation with the company who publishes my books. As part of that move, you can also expect to see Silver Bullet syndicated through informIT as well. You can help me make the move a success by keeping up with my column through informIT. (We’re also planning an RSS feed for articles too, so watch for that as well.)

The first column for informIT is just as much about business as it is about technology. One of the issues we constantly face at Cigital is the problem of helping our customers sell the idea of software security best practices up the chain. A common (and misguided) view is that software security best practices increase development time and add cost. As you can see in my first column, that’s simply not true. Here’s a pointer:

Software [In]security: Paying for Secure Software

I’m very much interested in your feedback on my column and any suggestions you have for topics. Feel free to use the forum below to get in touch. Thanks for reading!

Merry New Year to all. Here’s to even better software security in 2008.

As many of you know, I have a podcast called “The Silver Bullet Security Podcast with Gary McGraw.” The premise of the podcast is to interview various security gurus, both from industry and academia. We’ve done some great ones, including Ross Anderson, Bruce Schneier, and John Stewart.

For episode 21 of the podcast, I interviewed the Cigital principals…the very people who (supposedly) produce this blog. You can download the podcast here.

We’ve also made a transcript of the show available in pdf form.

During the show we talk plenty about some of the lessons we’ve learned about enterprise software security from our work with customers. We also compare and contrast the Touchpoints, CLASP, and Microsoft’s SDL.

While you’re surfing for multi-media, you might get a kick out of this Merry New Year message from Silver Bullet.

Welcome to Cigital’s brand new software security and software quality blog. That’s right, after ranting and raving in other forums for over a decade, we’ve decided to take it to the Web. Let’s call this blog “Justice League.” We’re glad you’re here.

It’s customary start a blog with administrivia, and this one should be no exception. Justice League will be a joint production of all of the Principal Consultants at Cigital. So, yes, it’s a corporate blog (wah wah waaah) but we promise that it will not suck. We’ll be passing the baton around like a hot potato. “No after you.” “Please, after you.” Somehow I ended up with the potato first.

I guess it’s my job to set the stage and introduce your cast. Many of you know me from my external speaking and writing. I’m Gary McGraw, CTO of Cigital, author of a big pile of books on software security, and host of the Silver Bullet Security Podcast. In my secret other life I am the fiddler for Where’s Aubrey.

Joining me to produce this blog will be <insert drumroll here>:

• Pravir Chandra. Pravir joined the Cigital team from Secure Software where he was Co-Founder and Chief Security Architect. Pravir is best known for his work on CLASP and for running an Operations Security group at AOL. Slightly lesser known is that Pravir was once a research associate at Cigital about a million years ago. In addition to being one of the top minds in the world in software security, Pravir is super nice, brilliant, and loads of fun.
• Scott Matsumoto. The great thing about Scott is that he brings 20 years of hard core commercial development experience to the team. Scott has served as CTO of both Spring Street Networks and Xtremesoft (where he was a co-founder as well). Scott is a seasoned software architect and a database guru. Scott is as self-effacing as he is experienced, but don’t let him fool you—he’s sneaky, clever, patient, and has attained the Buddha calm.
• Sammy Migues. Sammy has a long storied career in security stretching back before I was born (ok, not really). Sammy contributed to the infamous Rainbow Books (thanks, man), helped to invent the concept of software assurance, and has been applying knowledge management techniques to computer security for a decade. Sammy was the Chief Scientist of iDefense and Principal Scientist at Cybertrust before he joined Cigital. Sammy escaped from Louisiana in a similar fashion to my escape from Tennessee-we both found a pair of shoes and slipped across the border.
• Craig Miller. Craig really does have computer science bone fides stretching back to before I was born! In fact, he is the most seasoned technical veteran in the firm. Craig has been Chief Scientist of SAIC, CTO of Proxicom, North American CTO and Global Chief Architect of Dimension Data, and a bunch of other things. Like me, he’s a Dr. of something or other. He’s also a music fanatic, a yarn teller, and a jolly good fellow.
• John Steven. The infamous John Steven (or jS as I call him) has been with Cigital for many years. John is my right hand man, and is one of the main reasons that my job rocks. John’s knowledge of Java goes as deep as the inner workings of the VM and gets as lofty as architectural patterns for MVC’s in J2EE. John is intense, intelligent, and introspective. He also has just a few opinions.

Together, we plan to cover lots of ground in software security and software quality in this blog. We’re hoping for a dialog, so please tell us what you like, call us on the baloney, throw us the occasional bone, and generally enjoy yourself. We aim to have fun with this blog in an open interactive way.

My friends who run blogs—including my girlfriend from high school, all my buds at Fortify Software and my friend Jon Udell (who has been blogging basically forever)—all keep their entries short and personal. We’ll try to emulate them.

For the first few weeks, expect a new post every 2-3 days. First up is John Steven. Hey man, catch the potato…

Technorati Tags: software security