Using Attack Graphs to Design Systems (PDF)
S. Gupta, J. Winstead
IEEE Security & Privacy (Nov/Dec 2007)
Online Games and Security (PDF)
G. McGraw, G. Hoglund
IEEE Security & Privacy (Sep/Oct 2007)
Defining Misuse Within the Development Process (PDF)
G. Petersen, J. Steven
IEEE Security & Privacy (Nov/Dec 2006)
Essential Factors for Successful Software Security Awareness Training (PDF)
K. Van Wyk, J. Steven
IEEE Security & Privacy (Sep/Oct 2006)
Essential Factors for Successful Software Security Awareness Training (PDF)
K. VanWyk, J. Steven
IEEE Security & Privacy (Sep/Oct 2006)
Introduction to Identity Management Risk Metrics (PDF)
G. Peterson
IEEE Security & Privacy (Jul/Aug 2006)
Introduction to Identity Management Risk Metrics (PDF)
G. Petersen (ed. J. Steven)
IEEE Security & Privacy (Jul/Aug 2006)
Putting the Tools to Work: How to Succeed with Source Code Analysis (PDF)
P. Chandra, B. Chess, J. Steven
IEEE Security & Privacy (May/Jun 2006)
Putting the Tools to Work: How to Succeed with Source Code Analysis (PDF)
P. Chandra, B. Chess, J. Steven
IEEE Security & Privacy (May/Jun 2006)
Adopting an Enterprise Software Security Framework (PDF)
J. Steven
IEEE Security & Privacy (Mar/Apr 2006)
How Flawed is Microsoft? (PDF)
G. McGraw
IT Architect Magazine, March 1, 2006.
Software Security and SOA: Danger, Will Robinson! (PDF)
J. Epstein, S. Matsuomoto, G. McGraw
IEEE Security & Privacy (Jan/Feb 2006)
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors (PDF)
K. Tsipenyuk, B. Chess, G. McGraw
IEEE Security & Privacy (Nov/Dec 2005)
Bridging the Gap Between Software Development and Information Security (PDF)
K.R. van Wyk, G. McGraw
IEEE Security & Privacy (Sep/Oct 2005)
A Portal for Software Security (PDF)
N.R. Mead and G. McGraw
IEEE Security & Privacy (Jul/Aug 2005)
How Does Security Fit With Engineering? (PDF)
G. McGraw
Network Magazine, May 1, 2005.
Adopting a Software Security Improvement Program (PDF)
D. Taylor and G. McGraw
IEEE Security & Privacy (May/Jun 2005)
Software Penetration Testing (PDF)
B. Arkin, S. Stender, G. McGraw
IEEE Security & Privacy (Jan/Feb 2005)
Who Should Do Security? (PDF)
G. McGraw
Network Magazine, October 1, 2004.
Risk Analysis in Software Design (PDF)
D. Verdon, G. McGraw
IEEE Security & Privacy (July/August 2004; pp. 32-37) (Building Security In)
Misuse and Abuse Cases: Getting Past the Positive (PDF)
P. Hope, G. McGraw, A. Anton
IEEE Security & Privacy (May/Jun 2004)
Dire Straits (HTML)
G. McGraw, G. Hoglund
Information Security (April 2004)
Software Security (PDF)
G. McGraw
IEEE Security & Privacy (March/April 2004; Volume 2, Number 2, pp. 32-35)
Building Secure Software: Better than Protecting Bad Software (PDF)
G. McGraw
IEEE Software (November/December 2002; Vol. 19, No. 6, pp. 57-59) (Point/Counterpoint with Greg Hoglund)
Choosing a programming language and a distributed object platform (HTML)
G. McGraw, J. Viega
IBM developerWorks (Feb 1, 2002)
Protecting passwords: Part 2 (HTML)
G. McGraw, J. Viega
IBM developerWorks (September 2000)
Protecting passwords: Part 1 (HTML)
G. McGraw, J. Viega
IBM developerWorks (August 2000)
Make your software behave: Cryptography essentials (HTML)
G. McGraw, T. O'Connor
IBM developerWorks (July 2000)
Make your software behave: Tried and true encryption (HTML)
G. McGraw, J. Viega
IBM developerWorks (Jun 1, 2000)
Make your software behave: Playing the numbers (HTML)
G. McGraw, J. Viega
IBM developerWorks (Apr 4, 2000)
Software security principles, Part 4: Keep it simple; keep it private (HTML)
G. McGraw, J. Viega
IBM developerWorks (December 2000)
Software security principles, Part 3: Controlling access: Least privilege and compartmentalization (HTML)
G. McGraw, J. Viega
IBM developerWorks (November 2000)
Software security principles: Part 2: Defense in depth and secure failure (HTML)
G. McGraw, J. Viega
IBM developerWorks (November 2000)
Software security principles: Part 1: The chain is only as strong as its weakest link (HTML)
G. McGraw, J. Viega
IBM developerWorks (October 2000)
Make your software behave: Security by obscurity (HTML)
G. McGraw, J. Viega
IBM developerWorks (October 2000)
Statically Scanning Java Code: Finding Security Vulnerabilities
G. McGraw, J. Viega
IEEE Software (September/October 2000)
Make your software behave: Brass tacks and smash attacks (HTML)
G. McGraw, J. Viega
IBM developerWorks (Mar 14, 2000)
Make your software behave: Preventing buffer overflows (HTML)
G. McGraw, J. Viega
IBM developerWorks (Mar 7, 2000)
Make your software behave: Learning the basics of buffer overflows (HTML)
G. McGraw, J. Viega
IBM developerWorks (Mar 1, 2000)
Make your software behave: Assuring your software is secure (HTML)
G. McGraw, J. Viega
IBM developerWorks (Feb 28, 2000)
Java 2 security and stack inspection (HTML)
G. McGraw
Gamelan.com, May 12, 1999.
Why COTS Software Increases Security Risks (PS / PDF)
G. McGraw, J. Viega
ICSE Workshop on Testing Distributed Component-Based Systems, May 1999.
Software Assurance for Security (PDF / Word)
G. McGraw
IEEE Computer 32(4), pages 103-105. April 1999.
Software Assurance for Security (PDF / Word)
G. McGraw
IEEE Computer 32(4), pages 103-105. April 1999.
Twelve Rules for Developing More Secure Java Code (HTML)
G. McGraw, E. Felten
Java World, December 1998.
Third-Party Java Security Vendors: Solutions or Snake Oil? (Word)
G. McGraw, E. Felten
Java Report, December 1998.
Privileged code in Java: Why the API changed from JDK1.2beta3 to JDK1.2beta4 (HTML)
G. McGraw
developer.com, August 31, 1998.
E-Commerce Security: No Silver Bullet
A.K. Ghosh
In Proceedings of the IFIP WG 11.3 Working Conference on Database Security, July 15-17, 1998, Chalkidiki, GR.
Testing for Security During Development: Why we should scrap penetrate-and-patch. (PS / PDF)
G. McGraw
IEEE Aerospace and Electronic Systems, April 1998.
Implementing Assertions for Java (HTML)
J. Payne, M. Schatz, M. Schmid
Dr. Dobb's Journal, January 1998.
Testing for Security During Development: Why We Should Scrap Penetrate-and-Patch (PS)
G. McGraw
In Proceedings of 12th Annual Conference on Computer Assurance, June 16-20, 1997, Gaithersburg, MD.
A framework for creating custom rules for static analysis tools (PDF)
E. Dalci, J. Steven
Static Analysis Summit at NIST (June 29, 2006)
Is Your Mac Really More Secure? (PDF)
G. McGraw
Network Magazine, April 1, 2005.
Knowledge for Software Security (PDF)
S. Barnum, G. McGraw
IEEE Security & Privacy (Mar/Apr 2005)
Are We In a Computer Security Renaissance? (PDF)
G. McGraw
Network Magazine, February 1, 2005.
How Do Real Bad Guys Break Software? (PDF)
G. McGraw
Network Magazine, December 1, 2004.
Application Security Testing Tools: Worth the Money? (PDF)
G. McGraw
Network Magazine, November 1, 2004.
Risk Analysis in Software Design (PDF)
D. Verdon, G. McGraw
IEEE Security & Privacy (July/August 2004; pp. 32-37) (Building Security In)
Exploiting Software: The Achilles' Heel of CyberDefense (PDF / HTML)
G. McGraw, G. Hoglund
CyberDefense Magazine (June 2004)
Regulation and Information Security: Can Y2K Lessons Help Us? (PDF)
J. Payne
IEEE Security & Privacy (March/April 2004; Vol. 2, No. 2, pp. 32-35) (On the Horizon)
Putting Software Terminology To the Test (PDF)
J. Steven
IEEE Software (May/June 2002)
Operating systems and authentication technologies (HTML)
G. McGraw, J. Viega
IBM developerWorks (Feb 1, 2002)
Make your software behave: Brass tacks and smash attacks (HTML)
G. McGraw, J. Viega
IBM developerWorks (Mar 14, 2000)
Make your software behave: Preventing buffer overflows (HTML)
G. McGraw, J. Viega
IBM developerWorks (Mar 7, 2000)
Make your software behave: Learning the basics of buffer overflows (HTML)
G. McGraw, J. Viega
IBM developerWorks (Mar 1, 2000)
How We Learned to Cheat in Online Poker: A Study in Software Security (PDF / HTML)
B. Arkin, F. Hill, S. Marks, M. Schmid, T.J. Walls, G. McGraw
Developer.Com, 09/28/99.
Mobile Code Security (HTML)
G. McGraw and E. Felten
Editors, IEEE Internet Computing, November/December 1998.
An Approach for Certifying Security in Software Components (PS / PDF)
A. Ghosh, G. McGraw
Proceedings of the 21st National Information Systems Security Conference, October 5-8, 1998, Crystal City, VA.
Agent Trustworthiness (PS / PDF)
L. Kassab, J. Voas
Workshop on Mobile Object Systems: Secure Internet Mobile, July, 1998, Brussels, Belgium.
An Automated Approach for Identifying Potential Vulnerabilities in Software (PS / PDF)
A. Ghosh, T. O'Connor, G. McGraw
Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA. May 3-6, 1998, pp. 104-114.
Smart Cards, Java Cards and Security (HTML)
G. McGraw
developer.com, January 19, 1998.
Developing Expertise in Software Security: An Outsider's Perspective (PS / PDF)
G. McGraw, A.K. Ghosh
In working notes of the Invitational Workshop on Computer Vulnerability Data Sharing, NIST, June 1996.