Show 026 - An Interview with Adam Shostack

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon.

(Beginning with this episode, Silver Bullet will be available as a 192k MP3.)

• Transcript of this episode [PDF]
• Emergent Chaos blog
• The New School of Information Security
• Microsoft’s SDL
• Cigital’s Touchpoints
• IEEE Security & Privacy magazine
• Wassily Kandinsky
• The CardSystems breach (2005)
• Thomas Pynchon

 

 Show 026 - An Interview with Adam Shostack [30:12m]: Play Now | Play in Popup | Download

This entry was posted on Thursday, May 15th, 2008 at 3:17 pm and is filed under Shows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Show 026 - An Interview with Adam Shostack”

1. Stephen Craig Evans Says:
   May 23rd, 2008 at 12:32 am

   Another home run, Gary, but it could have been twice as long! I’m looking forward to getting the book.

   In general, I think we are getting to the same point in time (and maturity) similar to some of the BSVs (Big Security Vendors) who still put out white papers that profoundly point out that software security is important. Meaning, we know that we need metrics to measure effectiveness and to be able to decide where to spend the money (also brought up by Mary Ann Davidson in your podcast with her).

   I guess I should go check out what the Metrics Guys are doing (revisit Jaquith’s book, check out Metricon, etc). They’re probably a couple of years ahead of me.

   I wonder why as a community that we aren’t talking more about application classification. I have seen only this paper:
   The Importance of Application Classification in Secure Application Development
   http://www.webappsec.org/projects/articles/041607.shtml

   It seems that that would be a first step in putting price tags on software security efforts. And software security pros would have that knowledge, especially consultants that do different types of engagements.

   Keep’em coming,
   Stephen

2. The Silver Bullet Security Podcast » Blog Archive » Show 033 - An Interview with Laurie Williams Says:
   December 22nd, 2008 at 1:41 pm

   [...] Silver Bullet interview with Adam Shostack [...]

Leave a Reply