On the 37th episode of The Silver Bullet Security Podcast, Gary interviews Virgil Gligor, Professor at Carnegie Mellon University in the Department of Electrical and Computer Engineering and co-director of CyLab. Gary and Virgil discuss how information security has changed over the last 35 years, why software security will be with us forever, and how Virgil’s childhood in Romania has shaped his views on security. They close out with a discussion of Virgil’s breakfast-eating habits.

• Transcript of this episode [PDF]
• Virgil D. Gligor (@ Carnegie Mellon)
• CyLab
• Electrical and Computer Engineering at Carnegie Mellon University
• Building a Secure Computer System
• Foreign Intelligence Surveillance Act
• Software Security Comes of Age
• RSA panel to discuss surveillance, privacy concerns
• Computer Security: Art and Science by Matt Bishop
• Towards a Theory of Penetration-Resistant Systems and its Applications (1991)
• A Formal Method for the Identification of Covert Storage Channels in Source Code (1987)

 

 Show 037 - An Interview with Virgil Gligor [27:10m]: Play Now | Play in Popup | Download

We switch things up for this special third anniversary episode of Silver Bullet. This time around, Gary is the victim, being interviewed by James McGovern, Enterprise Architect for The Hartford Financial Services Group, Inc. and OWASP maven. Gary and James discuss the recently released Building Security In Maturity Model, how companies with Software Security Groups retain their best and brightest, Microsoft’s trustworthy computing initiative/SDL program, and what less expensive tools small organizations with only a few developers can use.

• Transcript of this episode [PDF]
• Enterprise Architecture: From Incite comes Insight… – James McGovern’s blog
• Gary McGraw’s site
• Software Security: Building Security In
• Building Security In Maturity Model (BSIMM)
• Gartner releases paper on Static Analysis – James’ blog entry on Gartner
• Cigital’s John Steven to lead OWASP Northern Virginia Local Chapter (press release)

 

 Show 036 - An Interview with Gary McGraw (by James McGovern) [34:34m]: Play Now | Play in Popup | Download

On the 35th episode of The Silver Bullet Security Podcast, Gary talks with Daniel Suarez, independent consultant and author of Daemon, a new techno-thriller about a gamer that reaches from beyond the grave to declare a war on all of humanity. They talk about Daniel’s new book and the movie options attached to it, the use of MMORPGs and flash mobs for nefarious means in the form of a distributed emergent attack, the current state of AI, and the follow-up to Daemon, Freedom ^TM.

• Daemon
• Daniel on Last call with Carson Daly
• Al-Qaeda in Second Life
• Distraction by Bruce Sterling
• Halting State by Charles Stross
• Bot-Mediated Reality at the Long Now Foundation
• Wired for War by P.W. Singer

 

 Show 035 - An Interview with Daniel Suarez [25:16m]: Play Now | Play in Popup | Download

On the 34th episode of The Silver Bullet Security Podcast, Gary interviews Bill Brenner, senior editor at CSO Online and CSO Magazine. Gary and Bill discuss how delivering the security message changes based on the audience (executives versus geeks and CSO’s versus CIO’s), the much-exaggerated death of print media, and balancing headline-grabbing sensationalism with solid security business coverage. They close out their interview with a discussion of Bill’s favorite period of history.

• Bill Brenner at CSO Online
• Bill Brenner on LinkedIn
• Bill Brenner on Facebook
• Security Wire Weekly
• Security Insights Podcast
• 1 Raindrop – Gunnar Peterson’s blog.
• Silver Bullet interviews with Jon Swartz, USA Today, Dennis Fisher, Tech Target, and Jeremiah Grossman, Whitehat

 

 Show 034 - An Interview with Bill Brenner [27:48m]: Play Now | Play in Popup | Download

We’re happy to announce the debut of The Reality Check Security Podcast with Gary McGraw:

The Reality Check Podcast with Gary McGraw focuses directly on software security practitioners and practical software security. Reality Check’s sister podcast, the Silver Bullet Security Podcast with Gary McGraw, follows a free form interview style tailored highlight the ideas and experience of security gurus. By contrast, Reality Check is concerned with practical questions centered on running large-scale software security initiatives in the real world.

Reality Check targets experienced leaders working to solve software security problems in large organizations every day. We use a standard script to guide each conversation with questions about history, methodology, best practice, and measurement. We plan to interview leaders of mature software security programs and leaders of programs just getting started.

 

 Ad: Reality Check Security Podcast [0:51m]: Play Now | Play in Popup | Download

On the 33rd episode of The Silver Bullet Security Podcast, Gary talks with Laurie Williams, Associate Professor of Computer Science at North Carolina State University. Gary and Laurie discuss Laurie’s nine years at IBM, Agile’s adoption in the commercial space, XP and software security, and what changes Laurie would make to the standard computer science curriculum to better prepare students.

• Laurie Williams
• Empirical Software Engineering
• Protection Poker tutorial
• Is Complexity Really the Enemy of Software Security? [PDF]
• Silver Bullet interview with Adam Shostack
• Law of Attraction audiobook

 

 Show 033 - An Interview with Laurie Williams [23:39m]: Play Now | Play in Popup | Download

The 32nd episode of The Silver Bullet Security Podcast features founder and Chief Technology Officer of WhiteHat Security, Jeremiah Grossman. Gary and Jeremiah discuss clickjacking, cross-site request forgery, why 50% of web problems can’t be discovered reliably automatically, and which conferences Jeremiah most enjoyed on his 2008 world tour.

• Transcript of this episode [PDF]
• Jeremiah Grossman
• Clickjacking
• Adobe 0-day Browser Exploit
• Cross-Site Request Forgeries: Exploitation and Prevention [PDF]
• Web Spoofing: An Internet Con Game by Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach.
• Web application scan-o-meter
• The “Wall of Fame”

 

 Show 032 - An Interview with Jeremiah Grossman [29:20m]: Play Now | Play in Popup | Download

On the 31st episode of The Silver Bullet Security Podcast, Gary talks with Matt Bishop, professor of Computer Science at UC Davis and author of the book Computer Security: Art and Science as well as many peer-reviewed papers. Gary and Matt discuss Matt’s plan to work security analysis and secure coding into a wider computer science cirriculum, Matt’s early work with Mike Dilger on TOCTOU, whether or not progress is being made in the field of software security, and the role of training in large-scale software security initiatives. Their chat closes with a mention of Matt’s home menagerie (which does not include any one-legged chickens at this time).

• Transcript of this episode
• Matt Bishop
• IEEE Security & Privacy Magazine
• Computer Security: Art and Science
• Silver Bullet Security Podcast interview with Dorothy Denning
• Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security (the “Ware Report” referred to in the podcast)
• Secure Computer Systems: Mathematical Foundations – The Bell Lapadula model [PDF]
• Secure Computer System: Unified Exposition and Multics Interpretation [PDF]
• Testing C Programs for Buffer Overflow Vulnerabilities – Eric Haugh, Matt Bishop [PDF]
• TOCTOU
• Checking for Race Conditions in File Accesses by Matt Bishop and Michael Dilger
• “The Song of the One Legged Chicken”

 

 Show 031 - An Interview with Matt Bishop [24:24m]: Play Now | Play in Popup | Download

On the 30th episode of The Silver Bullet Security Podcast, Gary talks with Ken van Wyk, principal and founder of KRvW Associates. Ken was the first employee of CERT and has been an active member of FIRST. Ken and Gary discuss why the discipline of computer science doesn’t learn from failure like mechanical engineering does, how we’re making steps backwards in computer security, whether focusing on web applications is a good or bad thing for software security, and Ken’s recommendation for moderately-priced red wines.

• Ken’s personal page
• KRvW Associates
• CERT
• FIRST
• Secure Coding
• Incident Response
• SC-L mailing list
• From the foreword to Secure Programming with Static Analysis – blog entry with photo of Tacoma Narrows Bridge
• TJX’s stock increase since the January 2007 security breach
• The Addison-Wesley Software Security Series
• Barbera D’Asti wines

 

 Show 030 - An Interview with Ken van Wyk [21:48m]: Play Now | Play in Popup | Download

On the 29th episode of The Silver Bullet Security Podcast, Gary talks with Dennis Fisher, executive editor of The Security Media Group at TechTarget. Dennis helps run SearchSecurity.com and Information Security Magazine. Gary and Dennis discuss the current “BS factor” in security journalism, shopping at TJ Maxx right after the TJX privacy breach, the state of software security, and which is harder: being a fry cook at Hardees or working as a PR flack.

• Dennis’ blog
• TJX
• Joe Walsh plays dirty laundry
• Software Security Grows
• Dennis’ un-named podcast
• Series of Tubes
• Hardees
• Nike/iPod

 

 Show 029 - An Interview with Dennis Fisher [23:50m]: Play Now | Play in Popup | Download