Software Integrity Blog

Author Archive

Gary McGraw

gem

Gary McGraw is the former vice president of security technology at Synopsys (SNPS). He is a globally recognized authority on software security and the author of eight best-selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and six other books, and he is editor of the Addison-Wesley Software Security Series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a periodic security column for SearchSecurity, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of MaxMyInterest, Ntrepid, and RavenWhite. He has also served as Advisor to Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). He holds a dual Ph.D. in cognitive science and computer science from Indiana University, where he serves on the Dean’s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy Magazine (syndicated by SearchSecurity).


Posts by Gary McGraw:

 

From mainframes to connected cars: How software drives the automotive industry

The automotive industry runs on software—but increased software increases the attack surface. Vehicle safety starts with automotive software security.

Continue Reading...

Posted in Automotive Cyber Security, Software Architecture & Design, Software Security Program | Comments Off on From mainframes to connected cars: How software drives the automotive industry

 

2016 BSIMM Conference explores emerging software security themes

The 2016 BSIMM Community Conference was packed with talks about emerging software security themes, including CI/CD, DevSecOps, and scaling security testing.

Continue Reading...

Posted in Software Security Program | Comments Off on 2016 BSIMM Conference explores emerging software security themes

 

Why the FTC’s software security stance matters to your business

The facts The U.S. Circuit Court of Appeals recently ruled that the Federal Trade Commission (FTC) has the authority to regulate aspects of corporate cyber security and may penalize those who fail to properly safeguard customer information.  Some background is in order.

Continue Reading...

Posted in Software Compliance, Quality & Standards | Comments Off on Why the FTC’s software security stance matters to your business

 

A guide to Gary McGraw’s AppSec USA keynote

Gary McGraw delivered the Friday morning keynote at AppSec USA 2014. Watch “BSIMM: A Decade of Software Security” and read along with his guide.

Continue Reading...

Posted in Software Security Program | Comments Off on A guide to Gary McGraw’s AppSec USA keynote

 

Does software security training make economic sense? Yes. It does.

Software security training reduces the cost of developers fixing security vulnerabilities later in the development cycle. But does it make economic sense?

Continue Reading...

Posted in Security Training & Awareness | Comments Off on Does software security training make economic sense? Yes. It does.

 

The 10 commandments for software security

You all know by now that the BSIMM is a descriptive model and not a prescriptive one.  We’re happy to give prescriptive advice about software security based on our experience as well.  It’s what we do for a living.  In fact, every prescriptive model (think the Touchpoints) needs to be measured with a measuring stick like the BSIMM.

Continue Reading...

Posted in Software Security Program, Web Application Security | Comments Off on The 10 commandments for software security

 

Automated code review tools for security

Effective automated secure code review requires tools. Here’s how static analysis tools work and why all developers should use them for secure code review.

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Automated code review tools for security

 

Badness-ometers are good. Do you own one?

Badness-ometers, or black box application security testing tools, are good. But you have to do more than just fix the code issues your badness-ometers find.

Continue Reading...

Posted in Web Application Security | Comments Off on Badness-ometers are good. Do you own one?

 

Service-oriented architecture

A review of service-oriented architecture (SOA) and security, including what it is and the 13 snares to avoid to ensure security is done right.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on Service-oriented architecture

 

Static analysis for security

What is static analysis for security? Read about what it’s supposed to do, the best approaches, its limitations, and what to look for in a good static analysis tool.

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Static analysis for security