Yin Yang hat logo

Search Security
IEEE Security & Privacy
Dark Reading
IT Architect


I am pleased to write a monthly security opinion column for SearchSecurity. This column started life in print at CMP in IT Architect and Network magazines and was originally called “[In]security.” That was back in October 2004. The column then transitioned into Web content for darkreading.com, veered left for a stint at informIT, and now has a home at SearchSecurity. Your feedback on the column through the Justice League blog is greatly appreciated.

I am also fortunate to have been the founding editor of the Building Security In Department of IEEE Security & Privacy magazine. Brian Chess and Brad Arkin currently edit the department. I believe this magazine is the best periodical in security, with both scientific accuracy, cutting edge technology, and real world relevance. Through a special offer, you can subscribe for only 29 bucks, and you don't have to join the IEEE. I can't recommend this more highly. Full disclosure: though the IEEE does not pay me for my services, I am on the Board of Governors of the IEEE Computer Society.



informIT article series

Build Security In article series

These articles were all originally published in IEEE Security & Privacy. For more of Gary's publications, see our full listing of his available published articles.

Dark Reading article series

IT Architect (formerly Network Magazine) article series (PDF format)


I began my career at Cigital as a research scientist, and Cigital Labs is still close to my heart. Though I am still active in the scientific research community and interact closely with Cigital Labs, I now spend most of my time helping to run Cigital.

In 1999, I was asked to chair the Infosec Research Council's Malicious Code. The result of that collaborative effort was a paper published in IEEE Software called Attacking Malicious Code: A Report to the Infosec Research Council. In 2009, this paper was chosen as one of IEEE Software's 25th-Aniversary Top Picks, meaning it was one of 35 recommended papers selected from a pool of over 1200.

I believe that giving back to academia is essential. I try to give academic talks at various schools as often as possible, with annual stops at: Stanford, Johns Hopkins, University of Virginia, North Carolina State University, Waterloo, and University of Maryland. If I am on the road for business reasons, I always seek out a great nearby school to visit. I also act as Advisor to the Computer Science Department at UC Davis and the Computer Science Department at the University of Virginia (where we are working on creating a BA in the College of Arts and Sciences). I serve on the Dean's Advisory Council of the School of Informatics at Indiana University.

In 2005, I was elected to a three year term on the Board of Governors of the IEEE Computer Society.

In 2009, we released the Building Security In Maturity Model (BSIMM). BSIMM is based on direct observation of nine successful software security programs including: Adobe, EMC, QUALCOMM, Google, Wells Fargo, Microsoft, and DTCC (plus two other financial services companies who shall remain un-named). The BSIMM provides a yardstick for software security. Download a copy for yourself and use it under the Creative Commons license.


My curriculum vita (PDF) includes a complete list of publications and lectures.

Pre-1996 papers are available in an out-of-date publications archive, where you can find abstracts and links to postscript files.

My completed thesis is available in multiple resolutions on my thesis page. Please feel free to send me questions and/or comments about what you see.