Writings

I am pleased to write a monthly security opinion column for SearchSecurity. This column started life in print at CMP in IT Architect and Network magazines and was originally called “[In]security.” That was back in October 2004. The column then transitioned into Web content for darkreading.com, veered left for a stint at informIT, and now has a home at SearchSecurity. Your feedback on the column through the Justice League blog is greatly appreciated.

I am also fortunate to have been the founding editor of the Building Security In Department of IEEE Security & Privacy magazine. Brian Chess and Brad Arkin currently edit the department. I believe this magazine is the best periodical in security, with both scientific accuracy, cutting edge technology, and real world relevance. Through a special offer, you can subscribe for only 29 bucks, and you don't have to join the IEEE. I can't recommend this more highly. Full disclosure: though the IEEE does not pay me for my services, I am on the Board of Governors of the IEEE Computer Society.

SearchSecurity

• BSIMM4 measures and advances secure application development (May 10, 2013)
• Cyberwar calls for software and system investment, not hacking back (March 20, 2013)
• McGraw's mobile app security strategy: Three legs of 'trusted on busted' (February 13, 2013)
• Testing, assessment methods offer third-party software security assurance (February 5, 2013)
• Thirteen principles to ensure enterprise system security
  (January 17, 2013)
• Twelve common software security activities to lift your program (December 10, 2012)
• Proactive defense prudent alternative to cyberwarfare (November 1, 2012)
• Ten commandments for software security (October 4, 2012)
• Data supports need for security awareness training despite naysayers (September 4, 2012)
• Congress should encourage bug fixes, reward secure systems (August 1, 2012)
• Mobile security: It’s all about mobile software security
  (July 2, 2012)
• Cloud computing pros and cons for security (June 19, 2012)
• Eliminating badware addresses malware problem (May 7, 2012)
• Software security assurance: Build it in, build it right
  (April 10, 2012)

Other

• Chinese Hackers, 'Active Defense' and Other Bad Ideas, Information Security (April 2013)
• Lost Decade or Golden Era: Computer Security since 9/11, (IEEE Security & Privacy, January/February 2012)
• Technology Transfer: A Software Security Marketplace Case Study (IEEE Software, September/October 2011)
• Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security in AMERICA'S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND II, Center for a New Amercian Security (June 2011).
• Interview: Software Security in the Real World, Computer (September 2010)
• Real-World Software Security, Dr. Dobbs (August 6, 2010); see also: InformationWeek.
• Lifestyle Hackers, CSO Online (November 2, 2009)
• Securing Online Games: Safeguarding the Future of Software Security, IEEE Security & Privacy (May/June 2009)
• How Things Work: Automated Code Review Tools for Security, Computer (December 2008)
• Online Games and Security, IEEE Security & Privacy (October/September 2007)

informIT article series

• vBSIMM Take Two (BSIMM for Vendors Revised) (January 26, 2012)
• BSIMM versus SAFECode and Other Kaiju Cinema (December 26, 2011)
• Third-Party Software and Security (November 30, 2011)
• Software Security Training (October 31, 2011)
• BSIMM3 (September 27, 2011)
• Balancing All the Breaking with some Building (August 30, 2011)
• Software Security Zombies (July 21, 2011)
• Partly Cloudy with a Chance of Security (June 17, 2011)
• Computer Security and International Norms (May 30, 2011)
• vBSIMM (BSIMM for Vendors) (April 12, 2011)
• Modern Malware (March 22, 2011)
• Software Patents and Fault Injection (February 28, 2011)
• Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal) (January 31, 2011)
• Driving Efficiency and Effectiveness in Software Security (December 29, 2010)
• Cyber Warmongering and Influence Peddling (November 24, 2010)
• Technology Transfer (October 26, 2010)
• How to p0wn a Control System with Stuxnet (September 23, 2010)
• Software Security Crosses the Threshold (August 16, 2010)
• Obama Highlights Cyber Security Progress (July 16, 2010)
• Cyber War - Hype or Consequences? (June 17, 2010)
• BSIMM2: Measuring the Emergence of a Software Security Community (May 12, 2010)
• Assume Nothing: Is Microsoft Forgetting a Crucial Security Lesson? (April 30, 2010)
• The Smart (Electric) Grid and Dumb Cybersecurity (March 26, 2010)
• What Works in Software Security (February 26, 2010)
• Cargo Cult Computer Security (January 28, 2010)
• You Really Need a Software Security Group (December 21, 2009)
• BSIMM Europe (November 10, 2009)
• Startup Lessons (October 22, 2009)
• BSIMM Begin (September 24, 2009)
• Attack Categories and History Prediction (August 25, 2009)
• Moving U.S. Cybersecurity Beyond Cyberplatitudes (July 16, 2009)
• Measuring Software Security (June 18, 2009)
• Twitter Security (May 15, 2009)
• Software Security Comes of Age (April 16, 2009)
• The Building Security In Maturity Model (BSIMM) (March 16, 2009)
• Nine Things Everybody Does: Software Security Activities from the BSIMM (February 9, 2009)
• Top 11 Reasons Why Top 10 (or Top 25) Lists Don't Work (January 13, 2009)
• Software Security Top 10 Surprises (December 15, 2008)
• Web Applications and Software Security (November 14, 2008)
• A Software Security Framework: Working Towards a Realistic Maturity Model (October 15, 2008)
• Getting Past the Bug Parade (September 17, 2008)
• Software Security Demand Rising (August 11, 2008)
• Application Assessment as a Factory (July 17, 2008)
• DMCA Rent-a-cops Accept Fake IDs (June 12, 2008)
• Securing Web 3.0 (May 15, 2008)
• Paying for Secure Software (April 7, 2008)

Build Security In article series

These articles were all originally published in IEEE Security & Privacy. For more of Gary's publications, see our full listing of his available published articles.

• Software Security and SOA: Danger, Will Robinson! (January/February 2006)
• Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors (November/December 2005)
• Bridging the Gap Between Software Development and Information Security (September/October 2005)
• A Portal for Software Security (July/August 2005)
• Adopting a Software Security Improvement Program (May/June 2005)
• Knowledge for Software Security (March/April 2005)
• Software Penetration Testing (January/February 2005)
• Static Analysis for Security (November/December 2004)
• Software Security Testing (September/October 2004)
• Risk Analysis in Software Design (July/August 2004)
• Misuse and Abuse Cases: Getting Past the Positive (May/June 2004)
• Software Security (March/April 2004)

Dark Reading article series

• The Truth Behind Code Analysis (February 13, 2008)
• Software Security Strategies (January 9, 2008)
• Beyond the PCI Band-Aid (December 10, 2007)
• Online Games & the Law (October 11, 2007)
• Mobile Insecurity (September 14, 2007)
• The Ultimate Insider (August 14, 2007)
• Consolidate This (July 12, 2007)
• JSON, Ajax & Web 2.0 (June 7, 2007)
• Certifiable (May 9, 2007)
• Want Turns to Need (April 20, 2007)
• Compliance As Kick-Starter (March 12, 2007)
• Security's Symbiosis (February 27, 2007)
• Hurray for Hollywood!? (January 12, 2007)
• Foxy Vista Henhouse (December 11, 2006)
• Boarding-Pass Brouhaha (November 2, 2006)
• Diebold Disses Democracy (October 9, 2006)
• Keep Your Laws Off My Security (September 7, 2006)
• Google is Evil (August 4, 2006)
• If You Build It, They'll Crash It (July 7, 2006)
• New Terrorist Profile: Phone Users (June 13, 2006)
• Microsoft's Missed Opportunity (May 3, 2006)

IT Architect (formerly Network Magazine) article series (PDF format)

• How Flawed Is Microsoft? (March 2006)
• Is Application Security Training Worth the Money? (February 2006)
• Is Sony BMG Run By Malicious Hackers? (January 2006)
• When Does Security Cross the Line? (December 2005)
• Is Security Really About Getting Nothing Done? (November 2005)
• How Bad Is Intrusion Detection? (October 2005)
• Is Cisco Naked? (September 2005)
• Is VoIP Secure Enough For Prime Time? (August 2005)
• Is Penetration Testing a Good Idea? (July 2005)
• Are Cell Phones the Next Target? (June 2005)
• How Does Security Fit With Engineering? (May 2005)
• Is Your Mac Really More Secure? (April 2005)
• Where Does Trust Come From? (March 2005)
• Are We In a Computer Security Renaissance? (February 2005)
• Innovative Rootkits: The Ultimate Weapon? (January 2005)
• How Do Real Bad Guys Break Software? (December 2004)
• Application Security Testing Tools: Worth the Money? (November 2004)
• Who Should Do Security? (October 2004)

Science

I began my career at Cigital as a research scientist, and Cigital Labs is still close to my heart. Though I am still active in the scientific research community and interact closely with Cigital Labs, I now spend most of my time helping to run Cigital.

In 1999, I was asked to chair the Infosec Research Council's Malicious Code Infosec Science and Technology Study Group. The result of that collaborative effort was a paper published in IEEE Software called Attacking Malicious Code: A Report to the Infosec Research Council. In 2009, this paper was chosen as one of IEEE Software's 25th-Aniversary Top Picks, meaning it was one of 35 recommended papers selected from a pool of over 1200.

I believe that giving back to academia is essential. I try to give academic talks at various schools as often as possible, with annual stops at: Stanford, Johns Hopkins, University of Virginia, North Carolina State University, Waterloo, and University of Maryland. If I am on the road for business reasons, I always seek out a great nearby school to visit. I also act as Advisor to the Computer Science Department at UC Davis and the Computer Science Department at the University of Virginia (where we are working on creating a BA in the College of Arts and Sciences). I serve on the Dean's Advisory Council of the School of Informatics at Indiana University.

In 2005, I was elected to a three year term on the Board of Governors of the IEEE Computer Society.

In 2009, we released the Building Security In Maturity Model (BSIMM). BSIMM is based on direct observation of nine successful software security programs including: Adobe, EMC, QUALCOMM, Google, Wells Fargo, Microsoft, and DTCC (plus two other financial services companies who shall remain un-named). The BSIMM provides a yardstick for software security. Download a copy for yourself and use it under the Creative Commons license.

Publications

My curriculum vita (PDF) includes a complete list of publications and lectures.

A Web-searchable listing of trade publications and research papers from Cigital is available through the Cigital website. All of my recent publications can be found there.

A large number of Java security trade publications can be found on the Java security Website

• Java security trade publications I have written.
• Java security trade publications that mention my work.

Pre-1996 papers are available in an out-of-date publications archive, where you can find abstracts and links to postscript files.

Cognitive science papers from the Center for Research on Concepts and Cognition (CRCC), where I did my graduate research, are available by ftp.

My completed thesis is available in multiple resolutions on my thesis page. Please feel free to send me questions and/or comments about what you see.

Copyright © 2013, Gary McGraw