Software Integrity Blog

Author Archive

Gary McGraw


Gary McGraw is the former vice president of security technology at Synopsys (SNPS). He is a globally recognized authority on software security and the author of eight best-selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and six other books, and he is editor of the Addison-Wesley Software Security Series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a periodic security column for SearchSecurity, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of MaxMyInterest, Ntrepid, and RavenWhite. He has also served as Advisor to Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). He holds a dual Ph.D. in cognitive science and computer science from Indiana University, where he serves on the Dean’s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy Magazine (syndicated by SearchSecurity).

Posts by Gary McGraw:


Badness-ometers are good. Do you own one?

Badness-ometers, or black box application security testing tools, are good. But you have to do more than just fix the code issues your badness-ometers find.

Continue Reading...

Posted in Web Application Security | Comments Off on Badness-ometers are good. Do you own one?


Service-oriented architecture

A review of service-oriented architecture (SOA) and security, including what it is and the 13 snares to avoid to ensure security is done right.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Service-oriented architecture


Static analysis for security

What is static analysis for security? Read about what it’s supposed to do, the best approaches, its limitations, and what to look for in a good static analysis tool. The original version of this article was published in IEEE Security & Privacy magazine.

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Static analysis for security


Software security testing

Originally published in IEEE Security and Privacy Magazine

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Software security testing


Risk analysis in software design

What is software risk analysis? A software risk assessment applies classic risk definitions to software design and produces mitigation requirements.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Risk analysis in software design


Software security

Gary McGraw explains software security, its role in the software development life cycle (SDLC), the difference between software security and security software, and more.

Continue Reading...

Posted in General | Comments Off on Software security