Software Integrity Blog

Author Archive

Gary McGraw

gem

Gary McGraw is the former vice president of security technology at Synopsys (SNPS). He is a globally recognized authority on software security and the author of eight best-selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and six other books, and he is editor of the Addison-Wesley Software Security Series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a periodic security column for SearchSecurity, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of MaxMyInterest, Ntrepid, and RavenWhite. He has also served as Advisor to Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). He holds a dual Ph.D. in cognitive science and computer science from Indiana University, where he serves on the Dean’s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy Magazine (syndicated by SearchSecurity).


Posts by Gary McGraw:

 

Moving cybersecurity past cyberplatitudes

John Pescatore from Gartner convened a virtual panel on the cybersecurity issue at the 2009 Gartner Information Security Summit. I provided a video for the panel answering two questions that John posed. The two questions get to the heart of the cybersecurity issue: Question 1: What should the US government do to drive real improvements […]

Continue Reading...

Posted in Webinars | Comments Off on Moving cybersecurity past cyberplatitudes

 

Automated code review tools for security

Computer security has experienced important fundamental changes over the past decade. The most promising developments in security involve arming software developers and architects with the knowledge and tools they need to build more secure software. Among the many security tools available to software practitioners, static analysis tools for automated code review are the most effective. Here’s how they work—and why all developers should use them. The rise of […]

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Automated code review tools for security

 

From the foreword to ‘Secure Programming with Static Analysis’

This is the foreword that I wrote for Brian Chess and Jacob West’s excellent new book Secure Programming with Static Analysis. I recommend this book for all software security practitioners. Developers, in particular, will find the book extremely helpful.  On the first day of class, mechanical engineers learn a critical lesson—pay attention and learn this […]

Continue Reading...

Posted in General | Comments Off on From the foreword to ‘Secure Programming with Static Analysis’

 

Badness-ometers are good. Do you own one?

Never one to mince words, I coined the term badness-ometer to describe “application security testing tools” like the ones made by SPI Dynamics and Watchfire. For whatever reason, people read more into the term than I intended. I guess they see the term as having only negative connotations. I stick by my nomenclature–black box application […]

Continue Reading...

Posted in Web Application Security | Comments Off on Badness-ometers are good. Do you own one?

 

Service-oriented architecture

A review of service-oriented architecture (SOA) and security, including what it is and the 13 snares to avoid to ensure security is done right.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Service-oriented architecture

 

Static analysis for security

What is static analysis for security? Read about what it’s supposed to do, the best approaches, its limitations, and what to look for in a good static analysis tool. The original version of this article was published in IEEE Security & Privacy magazine. All software projects are guaranteed to have one artifact in common—source code. Together […]

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Static analysis for security

 

Software security testing

Originally published in IEEE Security and Privacy Magazine Security testing has recently moved beyond the realm of network port scanning to include probing software behavior as a critical aspect of system behavior. Unfortunately, testing software security is a commonly misunderstood task. Security testing done properly goes deeper than simple black-box probing on the presentation layer (the […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Software security testing

 

Risk analysis in software design

A great software risk assessment requires the ability to apply classic risk definitions to software design and then generate accurate mitigation requirements.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Risk analysis in software design

 

Software security

Gary McGraw explains software security, its role in the software development life cycle (SDLC), the difference between software security and security software, and more.

Continue Reading...

Posted in General | Comments Off on Software security