Show 153: Gary McGraw discusses the evolution of software security, the BSIMM, the CISO report, and the future of IoT

December 28, 2018

Dr. Gary McGraw is a globally recognized authority on software security and the author of eight best-selling books on the topic. His titles include “Software Security,” “Exploiting Software,” “Building Secure Software,” “Java Security,” “Exploiting Online Games,” and six other books, and he is the editor of the Addison-Wesley Software Security Series. Dr. McGraw has also written more than 100 peer-reviewed scientific publications. Besides serving as a strategic counselor for top businesses and IT executives, Gary is on the Advisory Boards of MaxMyInterest, Ntrepid, and RavenWhite. He has also served as a Board member of Cigital and Codiscope (acquired by Synopsys) and as Advisor to Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). His dual Ph.D. in cognitive science and computer science is from Indiana University, where he serves on the Dean’s Advisory Council for the School of Informatics. He launched and has produced the monthly Silver Bullet Security Podcast since April 2006.

Listen as Taylor Armerding and Gary discuss how Gary came to Cigital and how the company’s mission and Gary’s role evolved over the years. They talk about software security during the “Java Security” era and whether things have gotten better or worse since the launch of the software security industry. Gary explains some of the touchpoints he introduced in “Software Security” and how they apply to all software development methodologies, and they explore the origins of the BSIMM, the CISO report, and the Silver Bullet Security Podcast. Finally, Taylor asks Gary about what the future holds for software security, especially across the ever-expanding Internet of Things, and for Gary after he departs from Synopsys.

Listen to podcast

Transcript

Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of Software Security. This podcast series is co-sponsored by Synopsys and IEEE Security & Privacy magazine, where a portion of this interview will appear in print. For more, see www.computer.org/security and www.synopsys.com/silverbullet. This is the 153rd in a series of interviews with security gurus, and today we’re going to do something slightly different. Today, Taylor Armerding from Synopsys is going to interview me for Silver Bullet. So I’m going to turn it over to Taylor.

Here you go, Taylor.

Taylor Armerding: Thank you very much, Gary. I was actually kind of hoping to fulfill a career dream by starting this off with “Welcome to the Silver Bullet Podcast. I’m not your host, Gary McGraw.” But you pre-empted all of that. However, now that I have a death grip on this virtual microphone, I would still like to make a couple of introductory remarks.

I’m honored that you asked me to do what I guess we could call an exit interview from the Silver Bullet, which you launched in 2006 and has now exceeded 150 monthly episodes, as you just mentioned. Honored and flattered as well to participate because, besides all the other good and significant things you’ve done, you have been a major factor in helping me start a second career that’s now approaching a decade. After spending decades in that highly respected field known as mainstream journalism, you were the first IT interview I ever did. And that conversation made me think I might actually be able to start understanding at least some of the language of tech.

Gary: Awesome.

Taylor: Which is one of the reasons I’ve admired the Silver Bullet. You do get into the technical weeds, but overall, you’ve made software security accessible to more than just your fellow alpha geeks. It’s very exciting to me when I can grasp at least 10% of what you’re talking about. Also, you are a major reason I’m at Synopsys now, since you let me know about an opening that, so far at least, feels like a good fit. So many thanks for all that, and for the rest of our time here, it’s all about you.

Dr. Gary McGraw is a globally recognized authority on software security and the author of eight best-selling books on the topic. His titles include “Software Security,” “Exploiting Software,” “Building Secure Software,” “Java Security,” “Exploiting Online Games,” and six other books, and he’s the editor of the Addison-Wesley Software Security Series. Dr. McGraw has also written more than 100 peer-reviewed scientific publications. He authors a periodic security column for SearchSecurity and is frequently quoted in the press (and I can attest to that, as a previous member of the press).

Besides serving as a strategic counselor for top businesses and IT executives, Gary is on the Advisory Boards of MaxMyInterest, Ntrepid, and RavenWhite. He has also served as a Board member of Cigital and Codiscope (acquired by Synopsys) and as Advisor to Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). His dual Ph.D. is in cognitive science and computer science from Indiana University, where he serves on the Dean’s Advisory Council for the School of Informatics. And of course, he launched and has produced the monthly Silver Bullet Security Podcast since 2006.

Gary, thanks for joining us, as you have joined every other episode of the Silver Bullet.

Gary: Yeah, super pleased to be here. Thanks for that great introduction, Taylor.

Taylor: Thank you. Thank you for being here and for asking me to talk to you. You’re leaving the Synopsys Software Integrity Group, but that is a business unit anchored by a company that until two years ago was known as Cigital, where you came in pretty close to the ground floor in the mid-1990s and rose pretty quickly to the top floor.

Tell us a bit how Cigital came to be and how you were drawn into it. Keeping in mind that while the internet had been a mainstream thing for a few years, this was back when, if you said the word “Google,” people would think you had marbles stuck in your mouth, and lots of us didn’t even have a cellphone, never mind a smartphone. What was happening that gave birth to a company that grew to 400-some people and developed the world’s first static analysis tool?

Gary: I graduated from Indiana with a dual Ph.D. in computer science and cognitive science, focused on the work of Douglas Hofstadter, who was my thesis advisor. So I actually wrote a pretty famous AI program called Letter Spirit when I was a kid. I needed to find a job, but I did not want it to be an academic job.

In a strange quirk of fate, I suppose, Jeff Voas, who was one of the co-founders of what was then known as Reliable Software Technologies and became known as Cigital some number of years later, was sitting on a plane on the way to a DARPA meeting. He was sitting between two people from Indiana University, a professor and a grad student, and he was complaining that he couldn’t find any Ph.Ds to execute a newly minted DARPA grant that they had just gotten at RST. And the people from Indiana said, “Oh, we know somebody who’s pretty good. Maybe you should interview this guy.” That was me.

So I came to Northern Virginia from Indiana. I did an interview over the course of a day. And then I had to decide whether to join a startup with seven people, including goldfish and dogs, working on a grant that nobody was sure what we were supposed to do, but there was an awful lot of money associated with it. So I took that job, knowing that joining a startup would mean that the company ate a good portion of my life, and my wife, Amy, agreed that that would be fine. So we moved to Virginia in 1995, and I joined RST executing this grant on computer security, which I quickly needed to find out what that meant. That’s the short story.

Taylor: OK, so if you want to get a job, get on a plane.

Gary: Get somebody who knows you on a plane.

Taylor: Right. Exactly. Can you go into a little bit of detail about the vision, the goal, and the ultimate mission of Cigital? How do you think that time, experience, and reality tempered or changed things, or not? And how did your role evolve over the years?

Gary: Cigital was always focused on software behavior, and our fun tagline was “We make software behave.” John Steven drew this hilarious cartoon of a dominatrix with a whip whipping software, saying, “We make software behave.” Needless to say, Corporate did not approve that for T-shirts. But in the old days at Cigital, it didn’t matter what was approved. T-shirts just sort of happened spontaneously, and there was ... I think my favorite Cigital T-shirt, just as an aside, ever published (and also regretted) was one that says, “We have jobs ’cause you can’t code.” We were like, “Yeah, that’s probably not good for our customers.”

But we were focused on software behavior, not necessarily from a security perspective but just from a software assurance perspective. Jeff Voas had been a pioneer in a field called software fault injection, which he and I wrote a book about together in 1998, I think—maybe it was 2000, I don’t know—but the worst-selling book I ever wrote, because it’s a hard-core software engineering tome about testing. RST was focused on testing and assurance and how you figure out whether a piece of software is good or bad, making use of the endless computer cycles that we saw coming. Computers were getting faster, cheaper. Cycles were getting more and more free. The internet is not the only thing that has benefited from that phenomenon.

So our focus really just shifted around mid-1995, ’96—maybe it’s ’96, ’97—when I got started working in Java security and found out that not only were Sun and Netscape and Microsoft interested in securing Java, but so were Visa and a whole bunch of banks. So we started building a consulting practice really around ’95, ’96, and by 1998, we had a software security group stood up, and we began to provide software security consulting services.

At the same time, we were working on static analysis technology for DARPA. Eventually we licensed that technology to Kleiner Perkins, who founded Fortify based on the technology we invented in the lab. So we were getting real experience doing consulting services, but we were inventing technology in the lab from a scientific perspective and then doing the hard work of tech transfer, which really was a majority of the heavy lifting with my job over the last 23 years. Tech transfer turns out to be hard. It costs more money than anybody thinks, and it takes 10 years to get a real technology across the transom out into the world. That’s how long it took to get Fortify from the lab out to HP, and it cost about $80 million or so.

Taylor: Geez. Wow.

Gary: I look back at these old grants I wrote for DARPA with the tech transfer sections, and they’re just hilariously naïve. But we did manage to get some stuff from Scienceland out into the world, and I’m very proud of that.

Taylor: That’s awesome. Actually, when you mentioned “Java security,” that sort of segues into the next question that I had. You wrote a farewell note to all of us and to the wider world and mentioned some of the highlights of the past 23 years. One of them you said was “Taking on Sun, Netscape, and Microsoft directly during the ‘Java Security’ years.” It seems like putting “Java” and “security” together in the same phrase had to involve a little bit of snark, since you have said more than once that what really excited you at the time was breaking Java. What were the things that made that era more than 20 years ago so great, and what do you think of Java now? If you were going to write “Java Security” today, what would be different, if anything?

Gary: Wow, that’s a tough question. I’ll just forget about the second part of the question. The “Java Security” stuff was interesting because we were breaking Java—we being Ed Felten and his grad students, Drew Dean and Dan Wallach, at Princeton—and writing about the problems that we were finding in Java in the popular press. It turned out that the press was interested in this stuff. The Wall Street Journal and USA Today were putting the breaking of Java on the front page because Java was so incredibly hyped up as a technology that was going to save the world in the mid-’90s that it was nice to have a story that said, “Oh, yeah? What about this?”

You have to realize that RST was like 18 people at the time, and our money was all coming from DARPA and the NSF and the Department of Commerce and grant money, soft grant money. Netscape and Microsoft, and also Sun, were huge corporations that were happy to try to bully us into submission or just ignore us to death. So we managed to use the press to disallow them from ignoring us to death.

Eventually, what happened was I began to think, “Why did amazing people who built this technology in the first place screw it up?” Like, in all seriousness, Bill Joy is fantastic as a technologist. Guy Steele is among the best languages guys on earth. So how could they screw it up when it came to Java? And if you wanted to not screw things up from a software security perspective, where would you go to find out?

The answer back then was “nowhere.” So I actually wrote this paper in 1998 that ended up being published in the Journal of Aerospace Engineering, an IEEE journal. That was about the geekiest possible journal you could imagine. It was about why we need to stop this penetrate-and-patch stuff and try to just build things properly in the first place. Which is really an obvious idea, but an idea that had not yet occurred to the brilliant people working on security up to the point. And thus software security was born as a field.

Taylor: Pretty cool, and has grown obviously.

Gary: Yeah, I think it’s probably about a $4 billion to $8 billion industry right now, about one-tenth or maybe slightly more, 10% or 12% of the entire computer security budget worldwide.

Taylor: Yeah. OK, in a keynote that you gave earlier this year to an audience in the automotive industry, you said—this is great—“Everybody knows there’s more software. There’s already too much software, and there’s going to be even more software. And guess what: Software sucks.”

Gary: Did I say that? I must have been in a pique.

Taylor: I’m afraid it’s up there on YouTube, so yeah, you did. And then you said the obvious: “All of which makes for quality, reliability, security, and safety problems.”

Gary: Yep.

Taylor: Anyway, so in short, it sounds like things have gotten worse, not better, since the launch of the software security industry, including Cigital. Why is that, and what isn’t getting done that should be?

Gary: Let’s get this straight. This is tricky. It involves two variables, which is way too hard for, say, Gartner analysts to figure out, because it’s two. One variable is that there’s more software than ever before. That means the problem is growing in cardinality because there are more bugs and more flaws because there’s more softwares. That’s just simple—one variable.

On the other hand, we are getting better at software security and software behavior as a species worldwide. In fact, if you count bugs per square inch, there are fewer bugs per square inch produced today than there were 20 years ago. So that’s really serious tangible progress. The problem is the first variable is swamping out the second variable. So it appears to the naïve that we’re not making progress in the field, when in fact we’re making drastic progress in the field. We just have to get our technology more widely adopted.

Taylor: You mentioned in that talk, and as we said earlier, one of your many books is titled Software Security. You wrote that in 2006, and you mentioned seven touchpoints. Could you briefly say what they were? Are they the same today? Will they ever change? In other words, will they need to evolve as technology evolves? Or is it like “code will always be code,” and so these things will always pretty much stay the same?

Gary: I think the latter. I think they’re going to pretty much stay the same. Instead of covering all seven, I’m just going to cover three in the order that you should adopt them.

Number one is code review with a static analysis tool and/or a better compiler and language. The idea is we have a whole lot of bugs, and the bugs are caused by mistakes in the language. And if we use the wrong pieces of the language, the compiler will happily compile a bug right into our code. That is, it compiles, but it’s still a problem from a security perspective. So that’s number one.

Number two is design review for architectural-level and design-level flaws. Some people call this threat modeling. I call it architectural risk analysis; that’s what we call it at Synopsys now. My view is that about half of software defects that lead to software security issues are design problems (that is, they are flaws) and not implementation problems (that is, bugs).

We made a lot of progress on the bug finding. There are static analysis tools that are widely available for almost any language you can think of. Many of them are free. I recommend FindBugs, for example, for Java. But there’s no such technology for finding flaws. That remains deep expertise-driven field that we’ve not made enough progress on—part of the reason I worked on the IEEE Center for Secure Design, and I’ve started talking about that again. So that’s number two.

Just to review: Number one, code review with a static analysis tool. Number two, design review, looking for flaws. Number three is pen testing. Now, everybody knows what pen testing is, and everybody starts with pen testing because they’re making a mistake. Do not start with pen testing. Although it’s nice to have a big, raging, smoking fire in Sector 3, and you can make fun of people and feel self-righteously great and better than they are by doing a pen test, pen tests are an economically very silly way to do software security because you’re finding problems after the software is already produced.

So those are the top three. And yeah, those are always going to be important software security practices which will be applicable no matter what the software development life cycle is. The book “Software Security” is not about any particular software methodology. It is about applying software security practices to artifacts produced by any software development methodology. All this DevOps hoo-ha that’s the flavor of the day right now is certainly something that can be directly addressed by the work in software security, and is. You just have to make sure that you’re in your tight loop. So that’s the answer to that one.

Taylor: Thanks.

Gary: We’ll be right back after this message.

If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.

Taylor: One of your major initiatives in these past couple of decades was the creation with a couple of your colleagues of the Building Security In Maturity Model, BSIMM, which has been described as a measuring stick for software security initiatives. That annual report, now in its 10th year, lets organizations in various industries see what others are doing to improve their software security. For those who might not be familiar with it and should be, can you tell us a bit about its origins, the vision for it, and what it’s accomplished in its nearly a decade of existence?

Gary: Sure. First, let me give you the URL. If you go to https://www.bsimm.com/, there’s lots of information, and you can download a copy of the BSIMM for your own use. It is published for free under the Creative Commons.

The idea behind the BSIMM was pretty simple. There was a lot of faith-based software security going on in 2006. Mike Howard had just produced Microsoft’s faith-based version of software security called the SDL [Secure Development Lifecycle] and written about that with Steve Lipner in a book that I recommend that you read. But it was bound directly to Microsoft and to Microsoft’s way of developing software.

There were people that were arguing over “This is the way you should do software security. That’s the way you should do software security. This is the way and the light. Follow the gourd. Follow the shoe.” Typical Monty Python stuff. And I just said, “Well, we got cut this crap. You know, I am one of the popes, and I have my very own pope hat, but three popes is too many. So how are we going to do this?” The answer was “Let’s go find out what’s really going on in the real world by interviewing firms that are actually practicing software security, and let’s report on what we find.”

That was the beginning of the BSIMM. We started with nine firms back in 2008. Ten years later, we have 120 firms. We are covering the work of about 472,000 developers. BSIMM grew beyond my wildest expectations from a science experiment in a little test tube to a de facto standard in the world of measuring software security progress, and I’m very proud of that work.

I do need to mention that I did that work with Sammy Migues from Synopsys and Brian Chess, who was chief scientist at Fortify and then at NetSuite—he’s the CISO. Then, later, we were joined ... Brian was replaced by Jacob West, who currently works at NetSuite as well.

Taylor: Yes. Yeah, thank you for mentioning that. I know it was a group effort, but you should all be proud. You also came up with the concept of Four CISO Tribes and Where to Find Them. What was the thinking, motivation behind that, and what were the goals?

Gary: Yeah, so we just basically tried to apply the same observation-based scientific approach to the CISO role that we did for software security in the BSIMM. It turned out to be harder than I thought. I thought, “Well, how hard could this be? I’ll just talk to a whole bunch of CISOs.” I ended up talking to 25 CISOs at 25 different firms who agreed to participate in the study. The real tricky bit was organizing all the data, which did not self-organize in a way that I was hoping that they would. We had to force them to self-organize by locking ourselves in the guesthouse with a bunch of bourbon and not letting ourselves out until the work was done.

I was bemoaning the fact that the data were not self-organizing to Brian Chess at dinner in Palo Alto at my favorite restaurant, called Tamarine—which you’ve just got to go to in Palo Alto. And Brian said, “Oh, that sounds really hard. Can I help?” To which the answer was, “Of course, absolutely. I need your help,” and we got the CISO report done. It’s very good work. Once again, this is work that was made available for free under the Creative Commons. You can get it from the Synopsys website, but if you can’t find a copy there, you can find one on my website too, or drop me an email and I’ll make sure to get you a copy of the CISO report.

Taylor: Great. Excellent. And of course, this podcast, the Silver Bullet, is another of your major initiatives, certainly one that’s gotten out into the public realm. What prompted you to launch that? Did you have any specific goals in mind? Or did you just think, really, it would be interesting just to talk to a bunch of security gurus?

Gary: I was on the Editorial Board of IEEE Security & Privacy magazine. I was talking to Kathy Clark-Fisher, who now runs the BSIMM at Synopsys, who was the lead editor of IEEE S&P. We were thinking about how to make the magazine more modern—this was 2006—and we decided collectively that a podcast might be a good idea.

So I tried a podcast just for fun. I recorded just a few seconds of snark and silliness with Marcus Ranum, which we never released. And I brought that to the Editorial Board and said, “Hey, I think we should do interviews of security gurus like this to put some fresh perspective and some modern technology into this magazine.” The Editorial Board agreed, so we started Silver Bullet in April 2006. I believe my first victim was Avi Rubin from Johns Hopkins.

Taylor: Wow.

Gary: Thousands of people have listened to Silver Bullet, and it’s garnered millions of hits over the years, so it really has gotten spread far and wide. It’s fun to give a talk in, say, Moscow and then somebody comes up and says, “Hey, aren’t you that Silver Bullet guy?” which happens all over the world. It’s interesting.

Taylor: Yeah. I mean, I know it’s got enormous reach. That’s pretty cool. Also about Silver Bullet, in 2017, you ... I think you might have told me this was not necessarily by design, but you interviewed only women.

Gary: That was by design. I just didn’t tell anybody. I just did it.

Taylor: OK. Was that a conscious effort to raise awareness about getting more women into the field? What else needs to be done to cultivate and promote female talent?

Gary: Yes, it was intentional, and since then, I’ve made sure that every other Silver Bullet episode is a woman or a minority of some other sort, maybe multiple minorities. The idea is that we always bemoan not having enough people in computer security. There’s the cyber security problem of not enough people, blah, blah, blah. Frankly, the answer is staring us right in the face. That is, there are many people, half the population, and many people in underserved populations that can really help us with this problem. If we reach out and get these people involved, we will be able to grow the kind of talent that we need in software security and tap into talent that’s been traditionally ignored by technology and white male-dominated technology business. We can do better, and I think that maybe Silver Bullet could play a little minor role in that. That was the idea.

Taylor: Yep. So given your enormous reach, influence, the audience, why stop the Silver Bullet now? Surely you have not run out of security gurus.

Gary: There are more being minted every day. Just ask the marketing people.

Taylor: Yeah.

Gary: I’ve been doing computer security hard-core for 23 years, and I’m going to continue being an independent voice in software security after I leave Synopsys on January 4, which is in just a few days. The Silver Bullet may be resuscitated, but I’m going to take a break for a while. I have been producing an episode like this for 153 months in a row without missing a month, and believe me, that was a serious pile of work.

A lot of people produce podcasts by just sitting around and talking about whatever occurs to them. This podcast involves doing background research on the guest, figuring out what to ask them, what I would like to know myself, and then what you find out is a very interesting thing, so questions that are not supposed to be tricky and hard, but questions that are in-depth enough to get to the core of how somebody thinks about security. I think that Silver Bullet has been pretty good at that, so I’m proud of this body of work too.

I’m going to have an archive up at my own website, so if you go to garymcgraw.com, there’s going to be a permanent archive there. And we’ll see. I mean, maybe something like this will come back around, but give me six months, man.

Taylor: Sure. Oh, yeah, absolutely.

Gary: If you think you’re bad, I’m the person who drives myself like a crazy maniac.

Taylor: No, I can only imagine how much prep goes into something like this. I mean, if you want to have something that’s credible and organized and worth listening to, you can’t just wing it.

Gary: Yep, that’s right.

Taylor: All right, we’re getting close to the end here of my long list of questions. You had said at the keynote I mentioned earlier, you said, “The good news is that we know what to do about software security. Now, let’s do it.”

Gary: Yep.

Taylor: As you said, obviously, a lot of people are doing it, but seems the bad news is, as you declared in that same talk, that lots and lots of software still sucks. Now, you addressed that a little bit earlier, that there’s just way, way, way more of it, and that’s continuing. It’s continuing to explode. I think you and Marcus referred ... or he referred to it as the Internet of Half-Baked Things or whatever.

Gary: Yeah. Some people call it the Internet of Shit.

Taylor: Yeah, whatever, but do you expect that reality to change? And if so, how are we going to get a handle on it? Do you see that happening?

Gary: I think we have to scale what we already know how to do, and I think Synopsys is playing a role in that. Scaling is an interesting thing to try to do. It’s not my own personal interests, but if you look at the BSIMM, for example, it describes in no uncertain terms what 120 firms are doing, and they’re making progress. So all sorts of other firms can copy that work and, in fact, accelerate faster.

If you also look at the BSIMM, you’ll see that it covers the work of about 472,000 developers, which I estimate is maybe 1/24th or 1/25th of all the developers on earth. So we’ve made a real tangible inroad into development. But we need to do a better job getting developers to understand software security and then to put it into their daily work. So I’m going to really reach out to the development community, not the software security community or the AppSec or the OWASP people. That’s not who we need to solve this problem. We need this problem to be solved by developers who build and design code every day for everything on earth. And I think we can reach them.

Taylor: Yep. OK. You did say that you are going to continue to be an independent voice, but I wanted to give you the chance, if you want to, to just talk about what you plan to do next. Are you just going to take some time off?

Gary: I’m going to do a lot of things actually. I’m going to crank up my band, The Bitter Liberals, some more. Our first concert in the beginning of the year is going to be on the 11th.

Taylor: No, I was going to ask you about that in a minute.

Gary: I’m going to work on machine learning, especially neural networks and genetic algorithms and sparse distributed memories again. I have about 50 publications in that stuff from 20 years ago, and it occurs to me that we have been not making much progress on the tech, although the datasets and the computers are way faster and way bigger than they used to be. But problems that we knew about in the ’80s in neural networks are still around.

I’m very much interested in rhythm perception and production of rhythm. For example, how would you get something to make music, a neural network, to make music and not all in one just splot? “Here’s a Mozart mazurka”—splot. That’s not how people do it. So the question is, how can we get pulsing iterative dynamic systems to do interesting machine learning stuff? Those are some of the things that interest me.

I will also, of course, continue to serve as an Advisor and Board member of forward-looking firms, some of the firms you mentioned at the top, like Ntrepid, who’s doing extremely well, and Max, who’s also doing very well now. I’m looking for more opportunities like that to get involved in technical advisory boards, and so I’ll be doing that too.

My problem will be too much to do, not not enough to do.

Taylor: I’m sure of that. I would like to conclude by going off the software security reservation a bit. Perhaps not everybody knows that not only are you an alpha geek, but you are a Renaissance man as well. You’re a musician. You sing and play fiddle in a band. As you just said, it’s called The Bitter Liberals. So just tell us a little bit about the band. How did it start, and how would you describe your music?

Gary: Yeah, we started in 2013. It’s a group of seasoned musicians who had performed both professionally on the road full-time and playing in little bands that are local for over 25 years. Everybody has tons of experience, and we all got together. It’s a funny story how that happened. If you’re a musician, you’ll know that somebody will say, “Oh, you should meet my cousin Joe” or “You should meet Bob. He’s the best X you’ve ever met. You two would love each other.” And all of us musicians just go, “Yeah, right,” whenever people say that.

There was this fellow named Allen Kitselman, who’s now a member of The Bitter Liberals, who people were telling me I had to get to know, and they were telling him he needed to get to know me, and we ignored them for five years. When we finally got together, it was at a party that Allen had. There were probably 20 guitarists playing something like “Friend of the Devil” when I walked in the room. I was thinking, “OK, here we go, more Dead covers. Yawn.” Then that song ended, and Allen was playing something really interesting, I think in F-sharp minor, in the corner. I went up and stood by him and started playing, and we looked at each other, and it was like, holy cow, there’s a brother.

Taylor: Yeah. Cool.

Gary: The next day, I showed up after work with my violin and said, “We’re playing music.” And he said, “Yes, we are,” and he started playing again after 13 years of being off the road. He had a band called Genghis Angus that did very well during the day. He still gets mailbox money from some of the songs that they wrote they use for some of the MTV shows to this day.

Taylor: Not bad.

Gary: Yeah, but Allen and I are musical brothers in the very same way that Rhine Singleton and I have been musical brothers for years. Then we found Clark Hansbarger (we’ve got two songwriters), and we recently switched out our rhythm section to Michael Rohrer and Nick Schrenk, just a phenomenal rhythm section. The band is producing all-original Americana. I don’t know how to explain the genre other than we sound like The Bitter Liberals.

Taylor: No. I’ve watched and listened, and everybody needs to watch and listen. You’re on the internet, on video.

Gary: Yeah.

Taylor: So if liberals take control of the entire government in a couple of years, are you going to have to become The Lethargic Liberals or The Complacent Liberals?

Gary: Maybe. I mean, we did name our latest release—which came out in, I guess, it was last September—“now more than ever.”

Taylor: Yeah. That’s good. I mean, I just hope you can continue, because things change.

Gary: Here’s hoping for it, man.

Taylor: All right. Thank you again for hosting the Silver Bullet, which will obviously live on in archive form, as you said, because most things on the internet are as close to immortal as we get. Along with everybody else at Synopsys and the wider software security world, I wish you all the best in your next chapter, with hopes that it’s even more creative, energetic, productive, and fulfilling than what you’ve done so far. Thanks much.

Gary: Thanks, Taylor. This has been fun.

Taylor: A lot of fun.

Gary: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is co-sponsored by Synopsys and IEEE Security & Privacy magazine and syndicated by SearchSecurity. Show links, notes, and an online discussion can be found on the Silver Bullet webpage at www.synopsys.com/silverbullet.

After 12 and three-quarters years of Silver Bullet, this will be my last episode. I know thousands of people have enjoyed this podcast. Thank you for listening. This is Gary McGraw.

Gary McGraw