Software Integrity

Author Archive

Gary McGraw

gem

Gary McGraw is the vice president of security technology at Synopsys (SNPS). He is a globally recognized authority on software security and the author of eight bestselling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a periodic security column for SearchSecurity, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Max Financial, NTrepid, and Ravenwhite. He has also served as Advisor to Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). He holds a dual PhD in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy Magazine (syndicated by SearchSecurity).


Posts by Gary McGraw:

 

BSIMM7 explores emerging software security trends and evolution

BSIMM7 was released October 4th, 2016. That’s just a few weeks before the seventh annual BSIMM Community Conference convened on Amelia Island, Florida. This year’s BSIMM conference was well attended, with 160 participants representing 60 of 95 BSIMM firms from across the globe. The energy and enthusiasm at the conference was palpable. There is nothing […]

Continue Reading...

Posted in Maturity Model (BSIMM), Webinar | Comments Off on BSIMM7 explores emerging software security trends and evolution

 

BSIMM7 is now available: What’s new?

At the time of the BSIMM7 release today (October 4, 2016), the BSIMM Project has been underway for eight years. During that time, the size of the data set has multiplied over 26 times from 9 measurements to 237. Additionally, the number of firms whose software security initiatives we describe has grown from 9 to […]

Continue Reading...

Posted in Maturity Model (BSIMM) | Comments Off on BSIMM7 is now available: What’s new?

 

Why the FTC’s software security stance matters to your business

The facts The U.S. Circuit Court of Appeals recently ruled that the Federal Trade Commission (FTC) has the authority to regulate aspects of corporate cyber security and may penalize those who fail to properly safeguard customer information.  Some background is in order. For a number of years, the FTC has been making waves in cyber […]

Continue Reading...

Posted in Security Standards and Compliance | Comments Off on Why the FTC’s software security stance matters to your business

 

Alphabet soup: SAST, DAST, IAST, and RASP explained

Turns out that the most important part of a software security initiative is FIXing the bugs that you FIND no matter how you find the bugs. So just what do all of the alphabet soup tools do? How do they help you fix what you find? And how do they scale? FWIW, tools of all […]

Continue Reading...

Posted in Cloud Security, Static Analysis (SAST), Web Application Security | Comments Off on Alphabet soup: SAST, DAST, IAST, and RASP explained

 

A guide to Gary McGraw’s AppSec USA keynote

I had a blast delivering the Friday morning keynote at AppSec USA this year. The only uncomfortable part was the 8 a.m. start. Whose idea was that?! You can watch the keynote here on YouTube. I watched the keynote myself this morning (which, for what it’s worth, is a pretty painful process, as there is […]

Continue Reading...

Posted in Maturity Model (BSIMM), Webinar | Comments Off on A guide to Gary McGraw’s AppSec USA keynote

 

President Obama acknowledges cyber threat and signs executive order for improving critical infrastructure cybersecurity

President Obama explicitly mentioned cyber security. He said: America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air […]

Continue Reading...

Posted in Uncategorized | Comments Off on President Obama acknowledges cyber threat and signs executive order for improving critical infrastructure cybersecurity

 

Does software security training make economic sense? Yes. It does.

When it comes to computer security, software security training can be a controversial subject.  We’re not sure why. Maybe what we’re seeing is an artificial controversy trumped up by pundits?!  You see, some pundits argue (lamely) that training is completely useless. We disagree. Lets make this as clear as we can: we believe that software security […]

Continue Reading...

Posted in Security Training | Comments Off on Does software security training make economic sense? Yes. It does.

 

The 10 commandments for software security

You all know by now that the BSIMM is a descriptive model and not a prescriptive one.  We’re happy to give prescriptive advice about software security based on our experience as well.  It’s what we do for a living.  In fact, every prescriptive model (think the Touchpoints) needs to be measured with a measuring stick […]

Continue Reading...

Posted in Maturity Model (BSIMM), Web Application Security | Comments Off on The 10 commandments for software security

 

BSIMM Community Conference

We just hosted the first ever BSIMM Community Conference in Annapolis, MD this week. I’m proud to say it was a smash hit. The schedule was packed full of interesting talks from leaders among the BSIMM Community including Microsoft, Intel, Salie Mae, JP Morgan Chase, QUALCOMM, Fidelity, Adobe and Cigital, but by far the most […]

Continue Reading...

Posted in Event, Maturity Model (BSIMM) | Comments Off on BSIMM Community Conference

 

Moving cybersecurity past cyberplatitudes

John Pescatore from Gartner convened a virtual panel on the cybersecurity issue at the 2009 Gartner Information Security Summit. I provided a video for the panel answering two questions that John posed. The two questions get to the heart of the cybersecurity issue: Question 1: What should the US government do to drive real improvements […]

Continue Reading...

Posted in Webinar | Comments Off on Moving cybersecurity past cyberplatitudes