Comments on: Show 001 – An Interview with Steve Lipner http://www.cigital.com/realitycheck/show-001/ The Reality Check Podcast with Gary McGraw focuses directly on software security practitioners and practical software security. Reality Check’s sister podcast, the Silver Bullet Security Podcast with Gary McGraw, follows a free form interview style tailored highlight the ideas and experience of security gurus. By contrast, Reality Check is concerned with practical questions centered on running large-scale software security initiatives in the real world. Reality Check targets experienced leaders working to solve software security problems in large organizations every day. We use a standard script to guide each conversation with questions about history, methodology, best practice, and measurement. We plan to interview leaders of mature software security programs and leaders of programs just getting started. Wed, 11 Nov 2009 05:41:13 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: gem http://www.cigital.com/realitycheck/show-001/comment-page-1/#comment-4 gem Tue, 20 Jan 2009 14:42:35 +0000 http://www.cigital.com/realitycheck/?p=5#comment-4 Hi Stephen, Thanks for the suggestion. I love the idea of a roundtable on the SDL and will try to make that happen. Security testing has come up a few times in various silver bullet episodes. I agree that it deserves more airplay. gem Hi Stephen,

Thanks for the suggestion. I love the idea of a roundtable on the SDL and will try to make that happen.

Security testing has come up a few times in various silver bullet episodes. I agree that it deserves more airplay.

gem

]]> By: Stephen Craig Evans http://www.cigital.com/realitycheck/show-001/comment-page-1/#comment-3 Stephen Craig Evans Tue, 20 Jan 2009 03:48:55 +0000 http://www.cigital.com/realitycheck/?p=5#comment-3 Hi Gary, Great stuff, especially when you inject your own experience and compare notes with the guest; I've listened to it 3 times already. Yes, you started at the top! From listening to pretty much all of your podcasts, I see some questions that you are consistently asking like "what are the top 2 software security practices that you recommend?" and "what difference do you see between web app security and general software security?" (I'm broadly paraphrasing this one because I think that it's the point you are getting at)... I would like to see a couple of more like: "is security testing being done by a separate security group, by QA testers, or how? And, if not by a separate security group, how are they trained and chosen?" and some details about their SDL and how it applies to their types of applications (something along the lines of the Silverbullet Cigital roundtable discussing different SDLs; and Mary Ann Davidson of Oracle completely evaded your question to her on this topic in her Silverbullet podcast). Cheers, Stephen Hi Gary,

Great stuff, especially when you inject your own experience and compare notes with the guest; I’ve listened to it 3 times already. Yes, you started at the top!

From listening to pretty much all of your podcasts, I see some questions that you are consistently asking like “what are the top 2 software security practices that you recommend?” and “what difference do you see between web app security and general software security?” (I’m broadly paraphrasing this one because I think that it’s the point you are getting at)… I would like to see a couple of more like: “is security testing being done by a separate security group, by QA testers, or how? And, if not by a separate security group, how are they trained and chosen?” and some details about their SDL and how it applies to their types of applications (something along the lines of the Silverbullet Cigital roundtable discussing different SDLs; and Mary Ann Davidson of Oracle completely evaded your question to her on this topic in her Silverbullet podcast).

Cheers,
Stephen

]]>