Publications 
The papers available here are for personal use only. A simple-but-extensive help file is available for viewers who are experiencing difficulty opening certain documents.
| Author | Title | Publication | Formats | Categories |
|---|---|---|---|---|
| G. McGraw | Software Security Crosses the Threshold | informIT (August 16, 2010) | HTML |
|
| G. McGraw | Obama Highlights Cyber Security Progress | informIT (July 16, 2010) | HTML |
|
| G. McGraw | Cyber War - Hype or Consequences? | informIT (June 17, 2010) | HTML |
|
| G. McGraw, B. Chess, S. Migues, E. Nichols | BSIMM2: Measuring the Emergence of a Software Security Community | informIT (May 12, 2010) | HTML |
|
| G. McGraw, I. Arce | Assume Nothing: Is Microsoft Forgetting a Crucial Security Lesson? | informIT (April 30, 2010) | HTML |
|
| G. McGraw | The Smart (Electric) Grid and Dumb Cybersecurity | informIT (March 26, 2010) | HTML |
|
| G. McGraw, B. Chess, S. Migues | What Works in Software Security | informIT (February 26, 2010) | HTML |
|
| G. McGraw | Cargo Cult Computer Security | informIT (January 28, 2010) | HTML |
|
| G. McGraw | Silver Bullet Talks with Christofer Hoff | IEEE Security & Privacy (January/February 2010) (PPV) | PDF HTML |
|
| G. McGraw | You Really Need a Software Security Group | informIT (December 21, 2009) | HTML |
|
| G. McGraw | BSIMM Europe | informIT (November 10, 2009) | HTML |
|
| J. Routh, G. McGraw | Lifestyle Hackers | CSO Online (November 2, 2009) | HTML |
|
| G. McGraw | Startup Lessons | informIT (October 22, 2009) | HTML |
|
| G. McGraw, S. Migues | BSIMM Begin | informIT (September 24, 2009) | HTML |
|
| G. McGraw | Attack Categories and History Prediction | informIT (August 25, 2009) | HTML |
|
| G. McGraw | Moving U.S. Cybersecurity Beyond Cyberplatitudes | informIT (July 16, 2009) | HTML |
|
| G. McGraw, J. Routh | Measuring Software Security | informIT (June 18, 2009) | HTML |
|
| G. McGraw | Securing Online Games: Safeguarding the Future of Software Security | IEEE Security & Privacy (May/June 2009) | PDF |
|
| G. McGraw | Software Security Comes of Age | informIT (April 16, 2009) | HTML |
|
| G. McGraw | Twitter Security | informIT (May 15, 2009) | HTML |
|
| G. McGraw, B. Chess, S. Migues | The Building Security In Maturity Model (BSIMM) | informIT (March 16, 2009) | HTML |
|
| G. McGraw, B. Chess, S. Migues | Nine Things Everybody Does: Software Security Activities from the BSIMM | informIT (February 9, 2009) | HTML |
|
| G. McGraw | Top 11 Reasons Why Top 10 (or Top 25) Lists Don't Work | informIT (January 13, 2009) | HTML |
|
| G. McGraw | Software Security Top 10 Surprises | informIT (December 15, 2008) | HTML |
|
| G. McGraw | How Things Work: Automated Code Review Tools for Security | Computer (December 2008) | PDF |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw | Web Applications and Software Security | informIT (November 14, 2008) | HTML |
|
| G. McGraw, B. Chess | A Software Security Framework: Working Towards a Realistic Maturity Model | informIT (October 15, 2008) | HTML |
|
| G. McGraw | Getting Past the Bug Parade | informIT (September 17, 2008) | HTML |
|
| G. McGraw | Software Security Demand Rising | informIT (August 11, 2008) | HTML |
|
| G. McGraw | Application Assessment as a Factory | informIT (July 17, 2008) | HTML |
|
| G. McGraw | Securing Web 3.0 | informIT (May 15, 2008) | HTML |
|
| G. McGraw | Paying for Secure Software | informIT (April 7, 2008) | HTML |
|
| G. McGraw | The Truth Behind Code Analysis | Dark Reading (February 13, 2008) | HTML |
|
| G. McGraw | Software Security Strategies | Dark Reading (January 9, 2008) | HTML |
|
| G. McGraw | Beyond the PCI Band-Aid | Dark Reading (December 10, 2007) | HTML |
|
| G. McGraw | Online Games & the Law | Dark Reading (October 11, 2007) | HTML |
|
| G. McGraw | Mobile Insecurity | Dark Reading (September 14, 2007) | HTML |
|
| G. McGraw, G. Hoglund | Online Games and Security | IEEE Security & Privacy (Sep/Oct 2007) | PDF |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw | The Ultimate Insider | Dark Reading (August 14, 2007) | HTML |
|
| G. McGraw | Consolidate This | Dark Reading (July 12, 2007) | HTML |
|
| G. McGraw | JSON, Ajax & Web 2.0 | Dark Reading (June 7, 2007) | HTML |
|
| G. McGraw | Certifiable | Dark Reading (May 9, 2007) | HTML |
|
| G. McGraw | Want Turns to Need | Dark Reading (April 20, 2007) | HTML |
|
| G. McGraw | Compliance As Kick-Starter | Dark Reading (March 12, 2007) | HTML |
|
| G. McGraw | Security's Symbiosis | Dark Reading (February 27, 2007) | HTML |
|
| G. McGraw | Hurray for Hollywood!? | Dark Reading (January 12, 2007) | HTML |
|
| G. McGraw | Foxy Vista Henhouse | Dark Reading (December 11, 2006) | HTML |
|
| G. McGraw | Boarding-Pass Brouhaha | Dark Reading (November 2, 2006) | HTML |
|
| G. McGraw | Diebold Disses Democracy | Dark Reading (October 9, 2006) | HTML |
|
| G. McGraw | Keep Your Laws Off My Security | Dark Reading (September 7, 2006) | HTML |
|
| G. McGraw | Google is Evil | Dark Reading (August 4, 2006) | HTML |
|
| G. McGraw | If You Build It, They'll Crash It | Dark Reading (July 7, 2006) | HTML |
|
| G. McGraw | Beyond the Badness-ometer | Dr. Dobbs (June 30, 2006) | HTML |
|
| G. McGraw | As Security Problems Grow, Time for Software Assessment Is Now | SD Times (June 1, 2006) | HTML |
|
| G. McGraw | New Terrorist Profile: Phone Users | Dark Reading (June 13, 2006) | HTML |
|
| G. McGraw | Microsoft's Missed Opportunity | Dark Reading (May 3, 2006) | HTML |
|
| G. McGraw | How Flawed is Microsoft? | IT Architect Magazine, March 1, 2006. | PDF |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw | Is Application Security Training Worth the Money? | IT Architect Magazine, February 1, 2006. | PDF |
|
| G. McGraw | Is Sony BMG Run By Malicious Hackers? | IT Architect Magazine, January 1, 2006. | PDF |
|
| J. Epstein, S. Matsuomoto, G. McGraw | Software Security and SOA: Danger, Will Robinson! | IEEE Security & Privacy (Jan/Feb 2006) | PDF |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw | When Does Security Cross the Line? | IT Architect Magazine, December 1, 2005. | PDF |
|
| K. Tsipenyuk, B. Chess, G. McGraw | Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors | IEEE Security & Privacy (Nov/Dec 2005) | PDF |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw | Is Security Really About Getting Nothing Done? | IT Architect Magazine, November 1, 2005. | PDF |
|
| G. McGraw | How Bad Is Intrusion Detection? | IT Architect Magazine, October 1, 2005. | PDF |
|
| K.R. van Wyk, G. McGraw | Bridging the Gap Between Software Development and Information Security | IEEE Security & Privacy (Sep/Oct 2005) | PDF |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw | Is Cisco Naked? | IT Architect Magazine, September 1, 2005. | PDF |
|
| G. McGraw | Is VoIP Secure Enough For Prime Time? | IT Architect Magazine, August 1, 2005. | PDF |
|
| G. McGraw | Is Penetration Testing a Good Idea? | Network Magazine, July 1, 2005. | PDF |
|
| N.R. Mead and G. McGraw | A Portal for Software Security | IEEE Security & Privacy (Jul/Aug 2005) | PDF |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw | Are Cell Phones the Next Target? | Network Magazine, June 1, 2005. | PDF |
|
| G. McGraw | How Does Security Fit With Engineering? | Network Magazine, May 1, 2005. | PDF |
Security, Applications & OS Security, Building Secure Software |
| D. Taylor and G. McGraw | Adopting a Software Security Improvement Program | IEEE Security & Privacy (May/Jun 2005) | PDF |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw | Is Your Mac Really More Secure? | Network Magazine, April 1, 2005. | PDF |
Security, Applications & OS Security |
| G. McGraw | Where Does Trust Come From? | Network Magazine, March 1, 2005. | PDF |
|
| S. Barnum, G. McGraw | Knowledge for Software Security | IEEE Security & Privacy (Mar/Apr 2005) | PDF |
Security, Applications & OS Security |
| G. McGraw | Are We In a Computer Security Renaissance? | Network Magazine, February 1, 2005. | PDF |
Security, Applications & OS Security |
| B. Arkin, S. Stender, G. McGraw | Software Penetration Testing | IEEE Security & Privacy (Jan/Feb 2005) | PDF |
Security, Applications & OS Security, Building Secure Software, Reliability, Testing |
| G. McGraw | Innovative Rootkits: The Ultimate Weapon? | Network Magazine, January 1, 2005. | PDF |
Security, Malicious Software |
| G. McGraw | How Do Real Bad Guys Break Software? | Network Magazine, December 1, 2004. | PDF |
Security, Applications & OS Security |
| B. Chess and G. McGraw | Static Analysis for Security | IEEE Security & Privacy (Nov/Dec 2004) | PDF |
|
| G. McGraw | Application Security Testing Tools: Worth the Money? | Network Magazine, November 1, 2004. | PDF |
Security, Applications & OS Security |
| G. McGraw | Who Should Do Security? | Network Magazine, October 1, 2004. | PDF |
Security, Applications & OS Security, Building Secure Software |
| B. Potter and G. McGraw | Software Security Testing | IEEE Security & Privacy (Sep/Oct 2004) | PDF |
|
| D. Verdon, G. McGraw | Risk Analysis in Software Design | IEEE Security & Privacy (July/August 2004; pp. 32-37) (Building Security In) | PDF |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, G. Hoglund | Exploiting Software: The Achilles' Heel of CyberDefense | CyberDefense Magazine (June 2004) | PDF HTML |
Security, Applications & OS Security |
| P. Hope, G. McGraw, A. Anton | Misuse and Abuse Cases: Getting Past the Positive | IEEE Security & Privacy (May/Jun 2004) | PDF |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, G. Hoglund | Dire Straits | Information Security (April 2004) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw | Software Security | IEEE Security & Privacy (March/April 2004; Volume 2, Number 2, pp. 32-35) | PDF |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, et al. | Processes to Produce Secure Software | National Cyber Security Summit | PDF |
|
| G. McGraw, P. Hope, A. Anton | Misuse and Abuse Cases: Getting Past the Positive | IEEE Security & Privacy (March/April 2004; Vol. 2, No. 3, pp. 32-34) (Building Security In) | PDF |
|
| G. McGraw | Building Secure Software: Better than Protecting Bad Software | IEEE Software (November/December 2002; Vol. 19, No. 6, pp. 57-59) (Point/Counterpoint with Greg Hoglund) | PDF |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Operating systems and authentication technologies | IBM developerWorks (Feb 1, 2002) | HTML |
Security, Applications & OS Security |
| G. McGraw, J. Viega | Choosing a programming language and a distributed object platform | IBM developerWorks (Feb 1, 2002) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Protecting passwords: Part 2 | IBM developerWorks (September 2000) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Protecting passwords: Part 1 | IBM developerWorks (August 2000) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, T. O'Connor | Make your software behave: Cryptography essentials | IBM developerWorks (July 2000) | HTML |
Security, Cryptography, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Make your software behave: Tried and true encryption | IBM developerWorks (Jun 1, 2000) | HTML |
Security, Applications & OS Security, Building Secure Software, Cryptography |
| G. McGraw, J. Viega | Make your software behave: Everything to hide | IBM developerWorks (May 18, 2000) | HTML |
|
| G. McGraw, J. Viega | Make your software behave: Software strategies | IBM developerWorks (May 2, 2000) | HTML |
|
| G. McGraw, J. Viega | Make your software behave: Playing the numbers | IBM developerWorks (Apr 4, 2000) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Make your software behave: Beating the Bias: How to approach truly random number generation through hardware | IBM developerWorks (Apr 1, 2000) | HTML |
|
| G. McGraw, J. Viega | Make your software behave: CGI programming made secure | IBM developerWorks (Mar 28, 2000) | HTML |
|
| G. McGraw, J. Viega | Make your software behave: An anatomy of attack code | IBM developerWorks (Mar 21, 2000) | HTML |
|
| G. McGraw, J. Viega | Software security principles, Part 5: On keeping secrets, trusting others, and following the crowd | IBM developerWorks (December 2000) | HTML |
|
| G. McGraw, J. Viega | Software security principles, Part 4: Keep it simple; keep it private | IBM developerWorks (December 2000) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Software security principles: Part 2: Defense in depth and secure failure | IBM developerWorks (November 2000) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Software security principles, Part 3: Controlling access: Least privilege and compartmentalization | IBM developerWorks (November 2000) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Make your software behave: Security by obscurity | IBM developerWorks (October 2000) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Software security principles: Part 1: The chain is only as strong as its weakest link | IBM developerWorks (October 2000) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Software security for developers: One-time pads | IBM developerWorks (October 2000) | HTML |
|
| G. McGraw, J. Viega | Statically Scanning Java Code: Finding Security Vulnerabilities | IEEE Software (September/October 2000) | Security, Applications & OS Security, Building Secure Software | |
| G. McGraw, J. Viega | Make your software behave: Preventing buffer overflows | IBM developerWorks (Mar 7, 2000) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Make your software behave: Brass tacks and smash attacks | IBM developerWorks (Mar 14, 2000) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Make your software behave: Learning the basics of buffer overflows | IBM developerWorks (Mar 1, 2000) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Make your software behave: Assuring your software is secure | IBM developerWorks (Feb 28, 2000) | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, J. Viega | Making software behave | IBM developerWorks (Sep 28, 1999) | HTML |
|
| B. Arkin, F. Hill, S. Marks, M. Schmid, T.J. Walls, G. McGraw | How We Learned to Cheat in Online Poker: A Study in Software Security | Developer.Com, 09/28/99. | PDF HTML |
Security, Applications & OS Security |
| G. McGraw, J. Viega | Why COTS Software Increases Security Risks | ICSE Workshop on Testing Distributed Component-Based Systems, May 1999. | PS |
Building Secure Software, Applications & OS Security, Security |
| G. McGraw | Java 2 security and stack inspection | Gamelan.com, May 12, 1999. | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw | Software Assurance for Security | IEEE Computer 32(4), pages 103-105. April 1999. | PDF Word |
Building Secure Software |
| G. McGraw | Software Assurance for Security | IEEE Computer 32(4), pages 103-105. April 1999. | PDF Word |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, E. Felten | Twelve Rules for Developing More Secure Java Code | Java World, December 1998. | HTML |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, E. Felten | Third-Party Java Security Vendors: Solutions or Snake Oil? | Java Report, December 1998. | Word |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw and E. Felten | Mobile Code Security | Editors, IEEE Internet Computing, November/December 1998. | HTML |
Security, Applications & OS Security |
| A. Ghosh, G. McGraw | An Approach for Certifying Security in Software Components | Proceedings of the 21st National Information Systems Security Conference, October 5-8, 1998, Crystal City, VA. | PS |
Security, Applications & OS Security, Reliability, Certification |
| G. McGraw and C. Michael | Automated Software Test Data Generation for Complex Programs | Proceedings of the 13th IEEE Automated Software Engineering Conference, October 13-16, 1998, Honolulu, Hawaii. | PS |
Reliability, Testing, Test Data Generation |
| G. McGraw, K. Sullivan | Massive Games of Artificial Life on the Internet: A Testbed for Research on Survivability Architectures | Proceedings of the Information Survivability Workshop, October 28-30 1998, Orlando, FL. | Word |
Miscellaneous |
| G. McGraw | Privileged code in Java: Why the API changed from JDK1.2beta3 to JDK1.2beta4 | developer.com, August 31, 1998. | HTML |
Security, Applications & OS Security, Building Secure Software |
| A. Ghosh, T. O'Connor, G. McGraw | An Automated Approach for Identifying Potential Vulnerabilities in Software | Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA. May 3-6, 1998, pp. 104-114. | PS |
Security, Applications & OS Security |
| G. McGraw | Testing for Security During Development: Why we should scrap penetrate-and-patch. | IEEE Aerospace and Electronic Systems, April 1998. | PS |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw | Smart Cards, Java Cards and Security | developer.com, January 19, 1998. | HTML |
Security, Applications & OS Security |
| G. McGraw | Don't Push Me: The Security Implications of Push | developer.com, December 30, 1997. | HTML |
|
| C. Michael, G. McGraw, M. Schatz, and C. Walton | Genetic Algorithms for Dynamic Test Data Generation | In Proceedings of IEEE International Automated Software Engineering Conference (ASE97), November 3-5, 1997. | PS |
Reliability, Testing, Test Data Generation |
| G. McGraw | Sandboxes and Signatures Part 1: The Future of Executable Content | developer.com, October 7, 1997. | HTML |
|
| G. McGraw, T. O'Connor | Sandboxes and Signatures Part 2: How to Sign Code for Netscape Communicator | developer.com, October 14, 1997. | HTML |
|
| J. Voas, F. Charron, G. McGraw, E. Miller, M. Friedman | Predicting How Badly "Good" Software can Behave | IEEE Software, July 1997. | PS |
Reliability, Testing, Fault Injection |
| J. Voas, G. McGraw, L. Kassab, L. Voas | Fault-injection: A Crystal Ball for Software Quality | IEEE Computer, June 1997, Volume 30, Number 6, pp. 29-36. | PS |
Reliability, Testing, Fault Injection |
| G. McGraw | Testing for Security During Development: Why We Should Scrap Penetrate-and-Patch | In Proceedings of 12th Annual Conference on Computer Assurance, June 16-20, 1997, Gaithersburg, MD. | PS |
Security, Applications & OS Security, Building Secure Software |
| G. McGraw, E. Felten | Avoiding Hostile Applets: How to Minimize the Risks of Executable Content | BYTE, May 1997. | HTML |
|
| G. McGraw, E. Felten | Understanding the Keys to Java Security -- The Sandbox and Authentication | Java World, May 1997. | HTML |
|
| G. McGraw | Is Your Browser a Blabbermouth? Are Your Ports Being Scanned? | Java World, March 1997. | HTML |
|
| G. McGraw, E. Felten | A Friendly Introduction to Hostile Applets | Netscape World, February 1997. | HTML |
|
| J. Voas, G. McGraw, A. Ghosh | Reducing Uncertainty About Survivability | Proc. of the 1997 Information Survivability Workshop, February 12-13, 1997, San Diego, CA | PS |
Reliability, Testing, Fault Injection |
| G. McGraw | Plugs for Java's Security Holes | BYTE, January 1997. | HTML |
|
| G. McGraw, E. Felten | Java Security and Type Safety | BYTE, January 1997. | HTML |
|
| J. Voas, A. Ghosh, G. McGraw, K.Miller | Glueing Together Software Components: How Good is Your Glue? | Proceedings of Pacific Northwest Software Quality Conference, October, 1996. | PS |
Miscellaneous |
| G. McGraw, D. Hofstadter | Emergent Letter Perception: Implementing the Role Hypothesis | Proceedings of the 18th Annual Conference of the Cognitive Science Society, July 1996. | PS |
Miscellaneous |
| G. McGraw, C. Michael | Automatic Generation of Test-Cases for Software Testing | Proceedings of the 18th Annual Conference of the Cognitive Science Society, July 1996. | PS |
Reliability, Testing, Test Data Generation |
| G. McGraw, D. Hovemeyer | Untangling the Woven Web: Testing Web-based Software | Proceedings of the 13th International Conference on Testing Computer Software (ICTCS), June 1996. | PS |
Reliability, Testing |
| G. McGraw, A.K. Ghosh | Developing Expertise in Software Security: An Outsider's Perspective | In working notes of the Invitational Workshop on Computer Vulnerability Data Sharing, NIST, June 1996. | PS |
Security, Applications & OS Security |
| A.S. Binns, G. McGraw | Building a Java Software Engineering Tool for Testing Applets | Proceedings of the IntraNet 96 NY Conference, April 8-10, 1996, New York City. | PS |
Reliability, Testing |
| J. Voas, G. McGraw, A.K. Ghosh, F. Charron, K. Miller | Defining an Adaptive Software Security Metric from a Dynamic Software Failure-tolerance Measure | Proceedings of the 11th Annual Conference on Computer Assurance (COMPASS'96) | PS |
Reliability, Testing, Fault Injection |
