Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of “Software Security.” This podcast series is co-sponsored by Synopsys and IEEE Security & Privacy magazine, where a portion of this interview will appear in print. For more, see www.computer.org/security and www.synopsys.com/silverbullet. This is the 145th in a series of interviews with security gurus, and I’m super pleased to have today with me Tanya Janca. Hi, Tanya.
Tanya Janca: Hey, how’s it going?
Gary: Good. So, Tanya Janca is a senior cloud developer advocate for Microsoft specializing in software security. Tanya’s job involves evangelizing software security and advocating for developers through public speaking. She’s a leader in the OWASP DevSlop project and believes in hands-on teaching via workshops and real technical examples. As an ethical hacker, OWASP project and chapter leader, software developer, and professional geek of 20 years, Tanya is a person who’s fascinated by the science in computer science.
Previously, she worked as an IT security coordinator for the 42nd general election in Canada. Tanya is also an avid gardener and has been the frontwoman of multiple bands. She holds a computer science diploma from Algonquin College, she grew up in Ottawa where she still lives, and she’s fluent in French, which we’re not going to get into today. So that’s a pretty impressive pile of stuff.
Tanya: Oh, thank you.
Gary: You’ve been active in security for a long time, and I’m wondering, how did you become interested in security?
Tanya: I was a software developer for a really long time, and I never thought there would be anything that I could ever like more than building things. And then I met this guy. We had these lunch-and-learn sessions that I was organizing at work for my team, and we had an ethical hacker come in, and he broke in through the log-in screen using SQL injection, which I’d never seen before. And it just completely broke my mind. I was like, “This is amazing.”
So he came back and talked to us a few more times, and then he was in a band and I was in a band, so we became friends. And then one day, he’s like, “Tanya, join the dark side. Be a hacker. It’d be so awesome.” And I was like, “No, nothing’s better than software development.” So he spent a year and a half convincing me to be his apprentice. What a nice guy, you know.
Gary: Well, we really, really, need people in our field.
Tanya: I guess he’s doing a great job of this, because he brought me in and I’m bringing others, so it’s working. That’s how I ended up working for him.
Gary: How long were you a developer before that happened to you?
Tanya: Around 16 years.
Gary: Wow, for a long time.
Tanya: Yeah, I started programming as a teenager, and then I got my first job in IT as soon as I was legal. Like, “I’m 18. Let’s do this.”
Gary: Right. Right. I’ve always held that the best way to create software security people is to start with software people—versus, say, network security people—and go from there. Do you agree with that?
Tanya: I agree with you 100%. I don’t know how someone can understand how to secure a thing if they don’t know how to make the thing and they don’t know how the thing works. Right? I mean, that doesn’t mean a network person can’t learn software and then learn the security of software. It just means they have a bigger uphill battle.
Gary: I think it’s a way big uphill battle. And I don’t know—I mean, maybe I’m biased because I’m one of those software people too—but I think that software is harder to learn to do and to learn about and to practice than some aspects of network security.
Tanya: I guess that I personally like software better than networks. So for me, it comes more naturally. I kind of stink at network security. Like, I can do the basics and I can scan all your networks and look for the things, but when it gets like deep into it, I’m like, “No, I’m afraid.”
Gary: Well, 20 years ago, when I was first starting out in software security, there was no field, and about half of the people or more were these normal security people who were trying to think about software, but they didn’t really even know what a build was or a compiler. I mean, they were kind of Perl people, so they knew something about scripting. But that was a problem, and it seemed easier, and has always seemed easier to me, to start with software people. We have a lot of software people at Synopsys because we think it’s easier to teach software people about security than the other way around.
Tanya: Oh, yeah. No, it’s way easier, especially if you can get a software developer that’s curious about security. That’s the magic ticket.
Gary: So that’s a problem too, though, because I’m not sure you can teach somebody how to code. Like I started coding at 16 and, you know, I took some classes later, but they were just kind of teaching me stuff I already knew. So how do you teach somebody to code? Do you? Or is it like a natural-born talent? I mean, what do you think about that?
Tanya: I’m not sure. I’ve never even thought of that, to be quite honest, because some people have told me, “Oh, it’s really hard.” But almost every single person in my family—like at least 50%—are computer science or computer engineers, and then the rest are, like, chemists, mathematicians, and mechanics. So when I was like, “Oh, I’m going to study computer science,” the whole family was like, “Obviously.”
Gary: Yeah, “Duh.”
Tanya: So when I started coding, it was off to the races. I play guitar, so I made a “how to play guitar” program, and for me it was just really exciting and awesome immediately. But other people just bang their heads against the wall over and over and over. And I guess maybe it takes a certain type of personality trait or maybe the way our brains work. I’m not sure. But some people just pick it up like it’s nothing.
Gary: Yeah. And so I guess that has implications for software security people too, if you hold, like we do, that you should start with software people first and turn them into software security people. Interesting stuff.
Tanya: I’ve actually worked at a bunch of places where regular security people are trying to do application security, and it’s very painful. Like it’s painful for me, it’s painful for them, and I find the people that suffer the most are the software developers, because you have someone that’s thinking, “Well, can’t we just put an appliance in front of that? Can’t I buy a box that does the security?” Like, no, you have to teach the developers. I gave a one-hour overview of the OWASP Top 10 to the security team I used to work with, and I felt like I had done something bad to them because all their faces looked like they were melting off. And I was just trying to explain the concepts—like not even how to protect against them, just the ideas—and they were like, “How could anyone ever learn all of this?” I’m like, “Guys, this is like 1 through 10. This isn’t even ABCs.”
Gary: “There turn out to be 10,000 of these.”
Tanya: Yeah, and then you need to know how to protect against them. And they just were like, “This is impossible.” I’m like, well, I mean, if you’ve never coded before, it certainly seems that way for sure. It’s an advanced thing, right? I feel like security is you can’t really start a career immediately in security, or it’s really hard to be really good at it. Like if you are a network engineer, then you do network security. If you’re a software engineer, you do software security. It’s kind of like you have to master the thing underneath first.
Gary: Yeah. It gets even worse, too, if you try to figure out where software architects come from. But let’s don’t even go there. I want to pursue a slightly different angle.
So you’ve been on the receiving end—I’m sure, if you were coding for 16 years—of the ugly baby phenomenon of security, where somebody declared your code bad during a review and they’re like, “You know, your baby is ugly, and your code is bad, and everything is terrible, and don’t come back until you get it right.” So what’s wrong with that approach?
Tanya: Oh my god, it’s so true. It feels like someone said your baby was ugly. Actually, I have a talk called “Insecurity in Information Technology,” and I tell that story for the first five minutes of my talk.
Tanya: And basically, I had to go back and forth three separate times with the person running the VA automated scanner that he did not understand whatsoever, and he shamed me. He told me that if my code was good, that I should have passed the first time. And that if I was a good software developer, I would have known how to fix all of the issues. But now that I’ve done some pen testing and some vulnerability assessments, I’m like, “Oh, that guy had no idea what he was talking about, and he felt more insecure than me.”
Gary: In just letting a tool…
Tanya: Yeah, and he was doing that specifically on purpose to make me not ask more questions. I worked somewhere once (that will remain unnamed) very briefly where I’ve done consulting and full-time work. And the two people on the team that I was supposed to help prop up and make functional, the security people, were doing this thing where they were making faces at each other. And I’m like, “What are you doing?” And they said they were practicing their “you’re so stupid” face for when developers ask questions so developers know not to ask more questions.
Gary: That is terrible. That is just absolutely wrong. So what do we do to eradicate that attitude, what do you think? I know you’ve been working on that.
Tanya: Well, I have a talk all about it. So I did some research into this. So social scientists study all sorts of things about culture change and all of that. And it turns out when people feel insecure in their jobs, there’s, like, predictably bad behavior that they do, and that predictably bad behavior is things like that. So if you have a security team that doesn’t even understand software and don’t feel supported and don’t have training and don’t feel there’s enough of them and all of that, those people are going to feel really insecure.
And unfortunately, some people take out their insecurities on other people instead of on themselves or in a productive way. So, like, if you feel insecure about a thing, personally, what I do is I like to book a talk. Or for instance, the Open Security Summit, I’m going to be unleashing a new project there because I was like, “I don’t know how to do that thing very well yet, so I’m just going to make a big commitment for myself, and then I have to learn it.”
Gary: Yeah. Yeah, that’s a common thing.
Tanya: And then I’m going to master the thing so that I don’t feel uncomfortable about it anymore. And that’s how I handle my insecurities. But other people are like, “I know what I’m going to do. I’m going to make faces at people so they feel like crap.”
Gary: Right. I mean, I have a theory that getting art done is similar. Like if you have a project that you want to do, like a new set of music, a CD, or a record, or whatever you want to call it, if you set yourself a deadline, then you just sort of have to do it.
Tanya: It’s so true.
Gary: What you were describing seems to be related to that, to me.
Tanya: It’s true, but it’s also about fear, if that makes sense.
Gary: It does.
Tanya: If I’m worried about something, I’m like, “Well, if I promised I’m going to do it, I guess now I have to go do it,” and I have to face my insecurity that I’m not that good at code review, or I’m not whatever the thing is I’m worrying about. But I see a lot of people instead shy away. And everyone handles their lives differently, but, I mean, if we can support security teams, and especially support developers. But we also need leadership, right? So if you have someone at the top that doesn’t take security seriously or if you have someone at the top, like if you have a CISO who doesn’t understand software at all and doesn’t understand application security at all and thinks it’s like network security…I’ve had senior security people be like, “Tell them to just patch it.” We’re not getting a magical patch from Microsoft to patch some piece of software.
Gary: Exactly. “Where do you think the patch comes from, sir?” My favorite is when senior people say, “You have to fix all the softwares,” and you go, “You know, the plural of ‘software’ is ‘software.’”
Tanya: Oh my gosh. How do you keep a straight face?
Gary: You don’t. So let’s compare and contrast working for the Canadian government, which you did for a long time, versus working for a big corporation, which you’ve done for a very short time. So what do you think?
Tanya: Yup. It’s so different, it’s amazing. In the government, your role is very defined. And this is your job, and you just do those things, and you try to do those things as well as you can. But in Microsoft they’re letting me do my job, but I can volunteer to be a part of all these other teams, which to me is insanely exciting.
So in the government, like if I’ve worked somewhere a long time and I have clout, then I could say, “I want on that project,” and then usually people will be like, “It’s Tanya, so I’ll say yes.” You know what I mean? Like you have a reputation for “things are going to get done,” and then you can kind of push a new social capital to get the things that you want. But at Microsoft I’m just like, “Oh, I’m really curious about this technology you’re building, and can I look at it from a security angle?” Like they line up for security as opposed to in the government, where I felt sometimes I was chasing them around to do security. At Microsoft they’re like, “Oh, it’s our turn.” Like they’re looking forward to it, and I’m like, “Oh my god, the attitude is just so refreshing.”
Gary: Yeah. “That guy’s jumping the line! That’s not fair.”
Tanya: Yeah, it’s so awesome. And also the hours and all sorts of other things that are different. I have a very weird job though, so I needed a lot of completely untouched time to work on a keynote that I’m writing. And so I just did it all afternoon Saturday. But then, you know, I’ll just like perhaps not come in Tuesday morning, and everyone’s cool because they’re getting all the work done.
Gary: I know that deal. I’ve been doing that the whole time. It’s like, I got tons to do, and if I come to the office, I won’t get anything done, so I better just do it even though it’s Sunday at 2 a.m.
Tanya: So in the government, they would be worried that it would look bad. You know what I mean? And I understand that there’s a different culture there, and so this culture works better for me and my weird working style. And I guess I’m really liking it so far, but we are still in the honeymoon phase. We did just get married.
Gary: Let’s poke into the stuff you did for the government—in particular, election stuff. So here’s a trick question. In your view, what’s the biggest risk to fair and free elections? Is it insecure voting machines, social media propaganda campaigns, or apathy? Gotcha.
Tanya: Trick question.
Gary: I told you.
Tanya: So all the countries that have elections are really worried about voter suppression. And voter suppression is using social media to try to trick people into going to the wrong voting session or other things like that, but it can get advanced having armed men outside of where you’re supposed to vote and they’re going to shoot you if you try to vote. Right?
And clearly, we don’t have that problem in Canada, but in the last election, we did notice some tricky things being done in social media that previously we’d not seen. There’s been some articles out about it. Like I can’t go in depth for things that aren’t publicized, but, I mean, America or the United States has been having quite a bit of that. And as it turns out, our elections used to be approximately when the U.S. elections were, which meant all the people that were employed doing that trickery were busy. But this one was in between, so they had time off.
Gary: So they came and screwed around with the Canadian elections. That’s terrible. We’re sorry.
Tanya: I believe that that is possibly an explanation. I don’t have proof one way or another, but to me, it’s unethical at a level that I can’t even express with words to do things like that.
Gary: Yes, it’s frustrating.
Tanya: Even if someone’s going to vote for someone that I wouldn’t vote for, I still feel that it is their right. And so I have super strong positive feelings about elections and democracy and about fairness, but our…So I actually spoke on this in Switzerland at the Swiss Cyber Storm in 2017, and I don’t know if you know, but Switzerland is switching to e-voting, but they currently do a lot of their voting by mail. So their risks and concerns are very different than Canada.
And in Canada we actually vote on paper. And we count with something like 36 members of the media in the room and then a member from every single party to make sure that…we have like this giant room, and everyone counts together, and then they actually recount it again to make sure. And everyone’s already released the results, so, like, we’re the last ones. So everyone already knows long before we release it. And we keep them for four years just in case.
The most important risk to democracy, in my opinion, is the public not believing the results. And in Canada we will do anything to make sure that they can trust it, including just letting members of the public in while we count, because that’s how important it is to us. Like complete humility, no egos. Even if it takes twice as long, we’ll work all night. It doesn’t matter. We’re willing to make it right.
Gary: Well, you heard it here first, because what Tanya is saying is going to really matter in the 2018 midterms in the United States. That’s going to be the attack, so get ready.
Tanya: I’m not going to comment on international politics at all.
Gary: I get to because I’m sitting here in Virginia while we’re saying this.
Tanya: Yeah, I really hope that every country can have fair and democratic elections that choose to have elections. Anyway.
Gary: We’ll be right back after this message.
If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.
Gary: You champion learning by doing, very clearly, as witnessed by your OWASP DevSlop project, among other things that you’ve done. Briefly describe that project and the importance of getting containerization right to software security.
Tanya: OK, I’m so excited about this project. So there’s four of us on the team right now, but we’re growing pretty quickly, and Nicole Becher and I are leading it. Basically, each of us are making different types of pipelines to automate as many security processes as possible, and then the next step is to add containers. We’re each going to release to different cloud providers so you can see how to safely release to each one of them.
And then I’m actually really excited because one of our team members is on the OWASP Core Rule Set team, and they’re the ones that created the signature set that’s used with the free WAF ModSecurity, the web application firewall. And so Azure Cloud’s community has created a plugin, like in conjunction with Microsoft and the Core Rule Set team. So you just press a button, and it turns on the Core Rule Set 3 for you for free. That’s insane. That’s so amazing. I want to set that up, so I’m creating a team website for us, and then I’m going to deploy it through our pipeline live so people can watch and see.
And then we’re outsourcing everything. Like my stuff is going to be Microsoft stuff, but everyone’s using different platforms. So we have Apache, we have all sorts of different things, so whichever tech stack you’re using, we’re hoping we’ll cover it. And you can just copy the stuff out of our repo and then adjust it for your environment, which is so exciting because it’s really hard to make a pipeline from scratch, especially if you don’t know.
We’re going to be at the Open Security Summit. Nicole and I are going to be at NorthSec in May to do…We’re also doing microservices, so Nicki and I are going to crush this thing named Pixi that we made, which are insecure microservices. And basically, we’re trying to teach people by…it’s like, “Watch us crush it. OK, now all of you are going to crush it.” And then we walk around, and we just try to help everyone make sure they understand and go through the lessons with them.
Gary: It’s kind of like dragging WebGoat into the modern world, a little bit. Pixi is, anyway.
Tanya: Yeah, well, if anything, so the newest kind of WebGoat-y thing is Juice Shop by this guy named Bjorn. And he has a whole team, and it’s really awesome, and it is a really nice web app. But we want to cover the weirdo things that aren’t covered in Juice Shop. Like they have some microservices, but we’re really interested in DevSecOps, I guess. Basically, we’re obsessed. Yep.
Gary: Yeah, cool. That sounds cool. So I think you should get a logo that’s somehow a pig, because I love the DevSlop name. That’s a hilarious name, totally awesome.
Tanya: Our logo’s actually the two gears from DevOps except for it says “DevSlop.”
Gary: I know, it’s hilarious.
Tanya: Maybe we should have a pig though, because we like animals. Like a cute piglet.
Gary: Well, you could just say, “Slop the pig.” That could be your motto. I mean, I’m a gardener like you, but I also have pigs. On occasion, we name them after world leaders. The last two were Berlusconi and Sarkozy, so we have interesting breakfasts.
Let’s keep pushing down the DevOps thing a little bit. So I have some worries. In my view, a critical danger of DevOps is that the rush to automate everything and speed everything up leaves secure design analysis or threat modeling—or whatever you want to call it—sort of lost or left out.
Tanya: I hear you.
Gary: So what should we do about architecture in the DevOps paradigm?
Tanya: I really feel that it needs to be DevSecOps. And by that, I mean it can’t be the Dev and the Ops teams doing stuff and then security on the outside. In my opinion, the security team needs to be right in there with them. Someone from the security team should be on their projects. And maybe they have to tag-team and swap out for different activities, because some of us are better at code review than threat modeling, etc., but there needs to be security sprints as well.
So if you’re doing design or you’re adding, like, a new feature, you should tap in your threat modeler to come in and threat-model for that activity. And then there has to be, like, a full sprint—at least one, if not multiple ones, depending upon how big your project is—where it’s just all security for the entire sprint. It’s like, “Here’s all the things you have not been keeping up on.”
Gary: Yeah. I mean, I see the point there, but I’ve also been involved in a whole lot of analysis in projects where we went in and we looked at the architecture and we were like, “Uh-oh, going to have to refactor this whole thing now.”
Tanya: Yeah, that’s true.
Gary: “Even though you’re a multinational bank and it’s going to take five years, it has to be done.” And I’m hoping that we don’t lose sight of that kind of work in DevOps. I think DevOps has—and DevSecOps or SecDevOps or OpsyDevsySexy or whatever you want to call it—is fine, and it’s got a lot of positive characteristics. But we cannot forget what we already know. That’s super important.
Tanya: Oh, I agree. I agree. I guess I’m seeing a lot of Waterfall where the security team, their model is “Stop while we do some security.”
Gary: Yeah, which is crazy.
Tanya: Which is crazy. And it doesn’t work, right? Like where you ask for a threat model and they get back to you in four months. And you’re like, “I can’t get crap done. You can’t just stop me.” So what do software developers do? They are like water. They just go around you.
Tanya: No problem. “You don’t want me in the database? Well, I need in there, so I’m in there now.” I did not realize how much hacking I did until I became a hacker. Like, “Oh, I used to do that all the…oops.” And I used to do that at work.
Gary: “Oh, you said not to do that? Sorry, I didn’t hear you when you said that.”
Tanya: But, I mean, if you need to get your job done and you have a deadline, I don’t know—you’re just not going to stop. So if you have a software developer that’s like, “OK, I guess I’ll just sit on my hands until…” that person’s fired. They’re not going to make it. You want the people that are like, “Nothing’s going to stop me until…”
Gary: Yeah, so that’s the good part of DevOps, because if you’re integrated tightly and it’s automated, it’s way easier to do, and it doesn’t stop you or slow you down too much. So I totally agree with that, but somehow we got to strike a balance, and I don’t think we’ve figured it out yet.
All right, another topic. What is more of a challenge, being a woman in security or being a woman in the Ottawa punk scene?
Tanya: Definitely music. Yeah, music’s much more complicated. Sexism is completely overt and in your face in music, not in a way that it is, like, in tech. Yeah, trying to find musicians to play music with that I didn’t have to sleep with. Was next to them, no. Like, they’re just like, “I’m not interested then.” Yeah, or “I don’t play with girls.” Being told during sound check to go change into a miniskirt and a thong. I really got those guys back though.
Gary: So it’s just totally blatant?
Tanya: Yeah, but because of that, like, I’m really…and most of this is never a problem for me in tech because I’m used to it being so much worse. Like basically guys that told me to go change into a thong and miniskirt while I was on a very, very high-set stage, I was like, “Oh, you want to play like that?” And they’re just, like, yelling and screaming through my sound check and being jerks. And so I was the opener, and when I was on, I told the audience, I’m like, “Guess what: They have a special thing for you,” because they were known for doing these coordinated dances on stage. I’m like, “They’re going to do a strip show.” And the audience was like, “What?” I’m like, “Yeah, they’re going to strip down to, like, the full monty.” And they’re like, “What?” I’m like, “So after their first song, we all have to yell, ‘Naked.’”
Gary: You got them back.
Tanya: And I just kept telling them that through my set. And so when they went on, after the first song, we all looked at each other, and I started chanting “naked.” Then the whole audience is like, “Naked. Take off your clothes. Blah, blah, blah.” And they’re like, “What’s going on?” and I’m like, “Thong and a miniskirt.”
Gary: Yeah, there you go.
Tanya: They’re like, “You’re cool. We like you now.”
Gary: Yeah, so you were a hacker even of the punk scene in Ottawa, it turns out, which doesn’t surprise me at all somehow, Tanya.
Tanya: Well, if you want to make it in the punk scene, you really have to be aggressive. Like I went to a music festival once, and the guy was like, “Oh, girlfriends have to pay.” I’m like, “I’m in the band.” He’s like, “Girlfriends have to pay.” I’m like, “I’m in the band.” The guy crawls in through the window of the car, on top of the driver, puts his face in my face, and smells me.
Gary: Right, weird.
Tanya: And then I yell at him, “I’m in the band. I am the band.”
Gary: Yeah, “I’m the band.”
Tanya: “Where do we park our car? Get out of our car.” And like I just screamed at him. Then he got out. He’s like, “Why didn’t you say so? Let’s go.” But it worked.
Gary: You know, when I asked you that question, I wasn’t sure what I was going to get as an answer. That’s very, very interesting, so thanks for that.
I’ve got one last kind of crazy question. It’s about two songs that you have and what they mean and compare and contrast. It might be just, like, old Tanya versus new Tanya or I don’t know, I’m interested to find out. So the first one is called “Heartbleed,” and that’s a pretty funny name if you’re in security, and the other one is called “What the F*** Did I Do?” So real quick, in like 30 seconds, tell me, like, WTF.
Tanya: Well, the WTF song is about having a partner that would do the “I’m not mad” thing, where…So I can be emotionally a little bit insensitive. Not like I call people names or I’m a jerk, but just I might not pick up on subtleties and hints. And apparently I was receiving quite a few hints that my partner was really peeved with me, but I didn’t know. And I’m like, “Are you mad?” “No, I’m not mad.”
Gary: In all caps.
Tanya: Yes. And so the song is just like, “And you were not going to tell me? Like, I don’t know. Like, I’m not trying to just pretend I don’t know, but like I could tell you’re upset. Oh, what did I do this time? Like, come on.” And then “Heartbleed,” it’s about the Heartbleed vulnerability.
Gary: I knew it.
Tanya: It definitely sounds like it. So that group, the Zero Day Reapers, all their songs are about different aspects of security. Because I was in my apprenticeship trying to learn what different things were and understanding things, and for me writing a song is the best way. I wrote a song in French so I could master a certain grammatical thing, the subjonctif. And so I wrote a song with it in it multiple times. And so now I kick butt at that tense in French, which is really hard.
Gary: That is awesome. So we’re going to have to play together sometime. We did a band once at OWASP Europe. I think it was 10 years ago. And Dinis Cruz played the bass, there was some guy from Israel who was in a punk band who played guitar, and we wrote songs about SQL injection.
Tanya: You did? We should totally do it.
Gary: I haven’t done that for a decade. We got to do that again.
Tanya: I play drums too. We could definitely do it.
Gary: Indeed. Well, thanks very much for your time. This has been an absolutely fascinating conversation.
Tanya: Oh, thank you so much for having me. It was so great to meet you. And I’m down for playing music.
Gary: Yes, let’s do it. Cool.
Gary: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is co-sponsored by Synopsys and IEEE Security & Privacy magazine and syndicated by Search Security. The March/April issue of IEEE S&P magazine features our interview with Bank of America CISO Craig Froelich. The issue is devoted to hacking without humans and covers the DARPA Cyber Grand Challenge, focused on both offense and defense. Show links, notes, and an online discussion can be found on the Silver Bullet webpage at www.synopsys.com/silverbullet. This is Gary McGraw.