Show 026 – An Interview with Adam Shostack

by rmacmich on Thursday, May 15, 2008

Adam Shostack

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon.

(Beginning with this episode, Silver Bullet will be available as a 192k MP3.)

  • Stephen Craig Evans

    Another home run, Gary, but it could have been twice as long! I’m looking forward to getting the book.

    In general, I think we are getting to the same point in time (and maturity) similar to some of the BSVs (Big Security Vendors) who still put out white papers that profoundly point out that software security is important. Meaning, we know that we need metrics to measure effectiveness and to be able to decide where to spend the money (also brought up by Mary Ann Davidson in your podcast with her).

    I guess I should go check out what the Metrics Guys are doing (revisit Jaquith’s book, check out Metricon, etc). They’re probably a couple of years ahead of me.

    I wonder why as a community that we aren’t talking more about application classification. I have seen only this paper:
    The Importance of Application Classification in Secure Application Development
    http://www.webappsec.org/projects/articles/041607.shtml

    It seems that that would be a first step in putting price tags on software security efforts. And software security pros would have that knowledge, especially consultants that do different types of engagements.

    Keep’em coming,
    Stephen

  • Pingback: The Silver Bullet Security Podcast » Blog Archive » Show 033 - An Interview with Laurie Williams

  • http://www.industrialcladdingsystems.co.uk/purlins zed purlins

    kev can ithank you for including my post to your blog,i will linkedyou to mine,i will post here again in the next fewweeksthanks againalan moses