Born and raised in Morocco, Wafaa also lived in the UK, France, and the Middle East before relocating to Indianapolis, Indiana in 2008. She holds a Master’s in Computer Science from INSEA in Rabat, Morocco. She holds another Master’s in Business Applications of Information and Technology from Université Rennes 2 in Rennes, France. Additionally, Wafaa holds a General Management Certificate from the London Business School. Most recently, in 2015, she graduated from the Harvard Business School Advanced Management program.

Listen as Gary and Wafaa cover cultural differences in technology management, CISO education, organizational hierarchy, and more.

• Connect with Wafaa Mamilli on LinkedIn
• Follow Wafaa Mamilli on Twitter
• “Executive Women’s Forum Hosts First-Ever Cybersecurity Women on Capitol Hill Event”

The post Show 137: Wafaa Mamilli Discusses Cultural Differences in Technology Management appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Listen as Pavi and Gary discuss whether a background in development makes you a better software security resource, CI/CD, security testing, the role that office hours play in software security awareness, and more.

• Follow Pavi Ramamurthy on Twitter
• Connect with Pavi Ramamurthy on LinkedIn
• A Doubter’s Almanac: A Novel
• The Twentieth Wife: A Novel

The post Show 136: Pavi Ramamurthy discusses the relationship between development and software security appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Listen as Gary and Ksenia discuss software security awareness, AngularJS, security conferences, and more.

• Follow Ksenia on Twitter
• Connect with Ksenia on Linkedin
• “How secure is AngularJS?”
• BSides DC 2015: Fixing XSS with a content security policy
• Ballroom dancing

The post Show 135: Ksenia Dmitrieva-Peguero discusses software security and AngularJS appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Listen as Gary and Kelly discuss how to separate fact from fiction when it comes to news in security, changes in security-focused journalism in recent years, social media, security politics, and more.

• Follow Kelly Jackson Higgins on Twitter
• Connect with Kelly Jackson Higgins on LinkedIn
• Articles by Kelly Jackson Higgins on DarkReading.com
• “How I Got Here: Kelly Jackson Higgins” Threat Post interview
• Conversations with Toni Morrison

The post Show 134: Kelly Jackson Higgins Discusses Cyber Security Journalism appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Listen as Gary and Cheryl discuss aligning security to work as a service for the business rather than an imposition for employees, trending cyber security political topics, work-life balance, and more.

• Follow Cheryl Biswas on Twitter
• Connect with Cheryl Biswas on LinkedIn
• Cheryl’s CyberWatch blog
• Cheryl’s Mom’s the Word blog
• TiaraCon
• “Ransomware and Databases: A Mongo Problem”

The post Show 133: Cheryl Biswas Discusses the Politicization of Cyber Security appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Dr. Chenxi Wang is the founder of the Jane Bond Project. She has built an illustrious security career with experience at Forrester Research, Intel Security, CipherCloud, and Twistlock. Dr. Wang started her career as a computer security faculty member at Carnegie Mellon University. She holds a Ph.D. in Computer Science from the University of Virginia and currently lives in Silicon Valley with her family.

Listen as Gary and Chenxi discuss the life of Professor John C. Knight, the Jane Bond Project, the Grace Hopper Conference, the state of software security, DevOps, fixing the diversity in tech issue, and more.

• Follow Chenxi Wang on Twitter
• Connect with Chenxi Wang on LinkedIn
• ”Interview: Chenxi Wang on Information Security’s Mr. Robot Problem and Enforcing IoT Standards”
• A Security Architecture for Survivability Mechanisms
• Thinking, Fast and Slow by Daniel Kahneman
• ”Don’t Talk Diversity, Live It!” Panel at RSA 2017

The post Show 132: Chenxi Wang Discusses DevOps and Diversity in Tech appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Listen as Gary and Kate discuss the state of the software security industry, gender perspectives in the security space, the relationship between biology and security, and more.

• Visit Kate Pearce’s website
• Connect with Kate Pearce on LinkedIn
• Follow Kate Pearce on Twitter
• What did Kate present at Black Hat 2016?
• “Researchers” versus Researchers: Gary’s ShmooCon talk
• Bill Bryson’s A Short History of Almost Everything

The post Show 131: Kate Pearce Discusses the Relationship Between Biology and Security appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Listen as Gary and Jessy discuss social engineering, security research, and security education and accessibility.

• Connect with Jessy Irwin on LinkedIn
• Follow Jessy Irwin on Twitter
• Visit Jessy’s Jessysaurusrex blog
• “Grooming Students for A Lifetime of Surveillance”
• “Cryptoparty: An Introduction to Secure, Usable Encryption Tools for All”
• Steve Bellovin and Matt Green discuss the crypto wars in Show 112

The post Show 130: Jessy Irwin Discusses How to Make Security and Privacy Accessible appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Listen as Gary and Kelly discuss the differences between application security and software security, finding bugs versus fixing bugs, improving code review tools, and how mental illness affects her analytical security outlook.

• Follow Kelly Lum on Instagram
• Follow Kelly Lum on Twitter
• Connect with Kelly Lum on LinkedIn
• Travers.al blog
• She’s A Wreck blog

The post Show 129: Kelly Lum Discusses Bug Hunting and a Unique Analytical Outlook on Security appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Listen as Gary and Lesley discuss the evolution of computer security, incident response, digital forensics, security engineering, security certifications, and more.

• Follow Lesley Carhart on Twitter
• Connect with Lesley Carhart on LinkedIn
• “Avoiding burnout: Ten tips for hackers working incident response”
• “Threat Modeling the Minecraft Way”
• Ruger MK III

The post Show 128: Lesley Carhart Discusses Incident Response and Digital Forensics appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Listen as Gary and Marie discuss her research and the future of medical device security.

• Follow Marie Moe on Twitter
• SINTEF
• “Living with a vulnerable implanted device“
• “Go Ahead, Hackers, Break My Heart“
• “Why We Should Worry About Hackable Hearts“
• “Could hackers break my heart via my pacemaker?“
• “How the ‘Internet of Things’ could be fatal“

The post Show 127: Dr. Marie Moe Discusses Medical Device Security appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Listen as Gary and Mike discuss open source security including OpenSSL, containerization, and progress being made in the industry.

• Black Duck Software
• Connect with Mike Pittenger on LinkedIn
• GNU General Public License
• Ghost of Paul Revere

The post Show 126: Mike Pittenger Discusses Open Source Software Security appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Listen as Gary and Jim discuss recent developments with static analysis, the relationship between open source and security, programming languages frameworks and how they impact tools, developer training, enterprises moving to the cloud, and island life.

• Connect with Jim Manico on LinkedIn
• Follow Jim Manico on Twitter
• Manicode
• Manicode blog
• Brakeman Security
• OWASP Application Security Verification Standard Project
• Iron-Clad Java: Building Secure Web Applications

The post Show 125: Jim Manico Discusses Static Analysis, Open Source, and Developer Training appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• Connect to Lance Cottrell on LinkedIn
• Follow Lance Cottrell on Twitter
• Ntrepid
• Anonymizer, Inc.
• North Bay Angels
• SoCo Nexus Sprout
• “Cryptopolitik and the Darknet” by Thomas Rid
• Lance Cottrell’s blog

The post Show 124: Lance Cottrell Discusses Anonymity and Privacy appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• Connect to Yanek Korff on LinkedIn
• Mastering FreeBSD and OpenBSD Security
• Ntrepid
• “Building Trust in Four Steps”

The post Show 123: Yanek Korff Discusses How to Build a Successful Technical Team appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• Connect with David Nathans on LinkedIn
• Designing and Building Security Operations Center
• John Pennekamp Coral Reef State Park
• How to Win Friends and Influence People
• The Fine Arts Company

The post Show 122: David Nathans Discusses Security Operations Centers and Medical Device Security appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• Horst Feistel
• A Mathematical Theory of Communication
• Defusing the Nuclear Threat (blog)
• The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet
• “Cryptography Pioneers Win Turing Award”
• Soaring

The post Show 121: Marty Hellman Discusses Cryptography and Nuclear Non-Proliferation appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

To celebrate 10 straight years of the monthly Silver Bullet Security Podcast, we’re flipping the mic. During the past decade, Dr. Gary McGraw has interviewed some of the security industry’s most influential gurus. A globally recognized authority on security and software, he is the CTO of Cigital and the author of eight bestselling books on software security—and for the 120^th Silver Bullet interview, he’s not the one asking the questions. In this landmark episode, firewall inventor Marcus Ranum takes on the role of Silver Bullet host to interview Gary on a variety of topics including evolutionary biology and security, the Internet of Things, hard core cyber insurgency, advisory board work, software security, tinfoil hats, the surveillance state, and more. Watch Marcus and Gary celebrate a decade of Silver Bullet in this special video edition.

• Gary McGraw
• Boards and Advisory Boards
• Marcus Ranum
• Charles Perrow’s Normal Accident Theory
• Among the Ten Thousand Things

The post Show 120: Silver Bullet Celebrates 10 Years! Marcus Ranum Interviews Gary McGraw appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

As the Chief Architect for Security Products at NetSuite, Jacob West leads research and development for technology to identify and mitigate security threats. West has over a decade of experience developing, delivering, and monetizing innovative security solutions. Prior to his role at NetSuite, he served as the CTO for Enterprise Security Products (ESP) at HP where he founded and led HP Security Research. West is the co-author of Secure Programming with Static Analysis, and is a founding member of the IEEE Center for Secure Design. Listen as Gary and Jacob discuss secure design, the critical difference between bugs and flaws, and wearable device security.

• Connect with Jacob West on LinkedIn
• SB Show 78: An Interview with Jacob West
• BSIMM Community
• Software Security Analysis for Wearables with Jacob West
• Secure Programming with Static Analysis
• SB Show 101: Software Security with the Founders of the Center for Secure Design
• Coi

The post Show 119: Jacob West Discusses the IEEE CSD, Bugs, Flaws, And Wearable Devices appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Gary talks to Jack Daniel, a leading technology community activist, about the evolution of the community-driven BSides Con, changes in the security field over the last decade, and his thoughts on where good security people come from. Jack is currently a Strategist for Tenable Network Security, and has over twenty years of experience in network and system administration and security. He also has twenty years of mechanical experience in the automotive domain. Jack co-hosts the Security Weekly podcast and produces the Uncommon Sense Security blog. Listen as Gary and Jack kick things off with the topic of the importance of diverse security communities.

• Connect with Jack Daniel on LinkedIn
• Follow Jack Daniel on Twitter
• Security Weekly
• Uncommon Sense Security
• Security BSides
• Show 3: The Computer Security Plateau with Marcus Ranum
• Show 111: An Interview with Marcus Ranum
• Three Dots and a Dash

The post Show 118: Jack Daniel Discusses Security BSides, Communities, and the Big Picture of Security appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Gary talks to Jamie Butler, a self-proclaimed “coder at heart,” about the importance of an offensive security approach, attack patterns, and his specialization in rootkit development. Jamie is currently the CTO and Chief Scientist at Endgame where he leads research on advanced threats, vulnerabilities, and attack patterns. He has directed vulnerability research teams at a number of prominent companies. Jamie holds a MS in Computer Science and has over 17 years of operating system security experience in the government and private sectors. Listen as Gary and Jamie discuss the attribution problem and his research focusing on how to think like a hacker in an effort to turn their work against them with an offensive security stance.

• Connect With Jamie Butler On LinkedIn
• Follow Jamie Butler On Twitter
• Rootkits: Subverting the Windows Kernel
• Show 96: An Interview With Nate Fick
• Exploiting Software: How To Break Code
• Black Hat Review Board
• Hackers For Charity

The post Show 117: Jamie Butler Discusses Security Research, Thinking Like a Hacker, And Rootkit Development appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• Connect with Doug Maughan on LinkedIn
• Tech transfer
• A case study from the lab to the world
• Maughan on tech transfer 
• Cal Ripkin, Jr.

The post Show 116: Doug Maughan Discusses the Current State Of Cyber Security In the U.S. Department Of Homeland Security appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• Connect with Peiter “mudge” Zatko on LinkedIn
• Hacker ‘mudge’ gets DARPA job
• A Disaster Foretold—And Ignored
• Technology Transfer
• Silver Bullet Episode 50 (Richard Clarke)
• Frank Zappa – Inca Roads

The post Show 115: Peiter “mudge” Zatko Discusses the L0pht and Government Influence appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Gary talks to the Chief Information Security Officer of Qlik, Peter “Pete” Clay, who holds 20+ years of experience in technology growth and its relationship to security from a risk management perspective.  Pete brings federal, public, private and start-up insight into the global security space. He shares personal lessons he has learned as a consultant and CISO, and gaps he has identified within the ever-changing security industry. Listen as Gary and Pete discuss the evolution of the CISO role, reactive approaches to security and the potential for cyber warfare.

• Connect with Peter Clay on LinkedIn
• Leveraging innovation to boost security
• The New Rules of Cyber Warfare by Peter Clay
• Beyond compliance: Protecting data with automated security playbooks
• A World Lit Only by Fire by William Manchester
• The Last Lion: Winston Spencer Churchill by William Manchester

The post Show 114: Peter Clay Discusses the Evolution of the CISO Role appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Related Links

• Software [in]security and scaling architecture risk analysis
• McGraw on assessing medical devices: Security in a new domain
• Principal-agent problem
• The Checklist Manifesto: How to Get Things Right
• Kishori Amonkar, Jaipur Gharana singer
• Raga Rageshree

The post Show 113: Chandu Ketkar Discusses Software Security Best Practices appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

We thought the “crypto wars” were resolved in the late 1990s. But the introduction of encrypted devices­—specifically the release of iOS 8 and the growing number of available encrypted communication channels through public services such as Facebook and Snapchat—has resurfaced the debate. FBI Director Comey and other law enforcement groups are concerned about what they call “going dark” and are stressing the need for back door access (called extraordinary access). But is this really a good idea? Didn’t we already fight this battle during the first crypto wars? Matthew Green and Steve Bellovin, two authors of the recently released Keys Under Doormats paper, discuss the dangerous ramifications of this request.

• Keys Under Doormats paper
• Show 81: Interview with Steve Bellovin
• Show 90: Interview with Matthew Green
• Thoughts on Encryption and Going Dark: Counterpart
• The rise of the new Crypto War

The post Show 112: “Crypto Wars II” with Steve Bellovin and Matt Green appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• Marcus Ranum’s website
• Episode 3: Marcus Ranum
• 6 Dumbest Things in Computer Security’

The post Show 111 – An Interview with Marcus Ranum appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 110th episode of The Silver Bullet Security Podcast, Gary talks with Paul Dorey, founder of CSO Confidential and Visiting Professor at the University of London. Gary and Paul discuss the modern role of the CSO and the ideal background for a CSO, Paul’s biggest win and biggest mistake as a CSO, and the role of building security in as part of a CSO’s strategy. They close out the episode with discussion of Paul’s favorite piece of humorous fiction.

• CSO Confidential
• Prof. Paul Dorey

The post Show 110 – An Interview with Paul Dorey appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 109th episode of The Silver Bullet Security Podcast, Gary is joined by Bart Preneel. Bart is a full professor at the KU Leuven, one of the oldest universities in the world. Gary and Bart discuss the differences in approaches to security between the EU and the US, what the picture of building security in looks like around the world, quantum cryptography, and the implications of the Snowden revelations on cryptography. They close out their chat discussing Bart’s Dixieland band.

• Bart Preneel
• Prof. Dr. Bart Preneel, KU Leuven / iMinds (video)
• Mathematicians Discuss the Snowden Revelations
• Journal of Craptology

The post Show 109 – An Interview with Bart Preneel appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

In the 108th episode of the Silver Bullet Security podcast, Gary talks with Katie Moussouris, Chief Policy Officer of HackerOne. Gary and Katie discuss her first program (a piece of interactive fiction in the Choose Your Own Adventure category written in Basic), bug bounty programs, how financial services and healthcare firms might approach vulnerability management, breaking versus building (and how to teach breakers to think more like builders), and the challenges of being a woman in security and why Katie dislikes being asked about it. They close out their discussion with some talk of various libations.

• Katie Moussouris
• HackerOne
• Choose Your Own Adventure

The post Show 108 – An Interview with Katie Moussouris appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

L. Jean Camp is a Professor at the Indiana University School of Informatics and Computing. Gary and Jean discuss usability and security, whether users’ implicit expectations of security and privacy are enough to move the mobile market, and “old people” and security. They close out their discussion with the most surprising hangover cure and Jean’s favorite album of 2014.

• L. Jean Camp
• L. Jean Camp (Wikipedia)
• L. Jean Camp Google Scholar Citations
• The End of Privacy, Science Magazine
• Bastille: “Pompeii”

The post Show 107 – An Interview with Jean Camp appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Steve Katz is owner and founder of Security Risk Solutions and the “world’s first CISO.” Gary and Steve discuss the history and evolution of the CISO position, the difficulty of measuring risk in a realistic fashion, how to allocate resources between proactive security engineering and standard network security, triage, and incident response, what it means to be an executive, and the FS-ISAC.

• Security Risk Solitions
• Steve Katz as banking executive
• FS-ISAC
• The Patient will see you

The post Show 106 – An Interview with Steve Katz appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 105th episode of the Silver Bullet Security Podcast, Gary talks with the legendary Whitfield Diffie, a pioneer of public-key cryptography. Gary and Whitfield discuss the history of public key cryptography, Diffie’s work on the “proof of correctness of programs,” and if backdoors into crypto systems are a bad idea. They close out by discussing art.

• Whitfield Diffie
• Whitfield Diffie (Wikipedia)
• New Directions in Cryptography (1976) [PDF]

The post The History of Public Key Cryptography with Whitfield Diffie appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 104th episode of the Silver Bullet Security Podcast, Gary chats with Rick Gordon, Managing Partner at MACH37. Gary and Rick discuss Rick’s time in the Navy and what it taught him about security, Rick’s lessons learned from his time as CEO of Tovaris, whether the government outside of DARPA understands security engineering, and the drive behind MACH37 the company… and the name. They close out by discussing if Rick is teaching his children to wrestle.

• Rick on Twitter
• MACH37

The post Show 104 – An Interview with Rick Gordon appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 103rd episode of the Silver Bullet Security Podcast, Gary talks with Brian Krebs, reporter and blogger at Krebs on Security. Gary and Brian discuss how growing up with a computer affected their future careers in security, MUD vs MAD, why “old media” can’t support in-depth security reporting, and why the government continues to be five years behind the security curve. They close out talking about Brian’s experience of writing Spam Nation.

• Krebs on Security
• Brian on Twitter
• Reporting From the Web’s Underbelly, The New York Times
• Silver Bullet Security Podcast 102: Richard Danzig
• Spam Nation

The post Show 103 – An Interview with Brian Krebs appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 102nd episode of the Silver Bullet Security Podcast, Gary chats with Richard Danzig, one time Secretary of the Navy and Board member of the Center for New American Security (among several other things). Gary and Richard discuss Richard’s time at the Department of Defense, what he learned when running the US Navy that can be applied to computer security, Richard’s recommendations from his important new CNAS report, and how the report is designed to have an impact on policy. The close out their chat with a high-brow art discussion.

• Richard on Wikipedia
• Richard @ navy.mil
• Richard @ CNAS
• National Service: What Would It Mean? by Richard Danzig
• Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America’s Cyber Dependencies by Richard Danzig
• Silver Bullet Security Podcast Show 002: Dan Geer
• Silver Bullet Security Podcast Show 007: John Stewart
• Jacopo Robusti, called Tintoretto. Crucifixion. 1565.

The post Show 102 – An Interview with Richard Danzig appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 101st episode of the Silver Bullet Security Podcast, Gary talks with Jim Del Grosso (Cigital), Yoshi Kohno (University of Washington), and Christoph Kern (Google) in a roundtable devoted to the new IEEE Center for Secure Design. The participants discuss the origin of the Center, why design flaws are more difficult to fix than implementation bugs, design flaws in automobile design, and how the top 10 most common flaws recently published by the Center for Secure Design were compiled.

• Center for Secure Design
• Silver Bullet 93 – An Interview with Yoshi Kohno
• Silver Bullet 99 – An Interview with Michael Hicks
• Silver Bullet 100 – A Roundtable with Cigital’s Principals
• Software [in]security — software flaws in application architecture
• Software [in]security and scaling architecture risk analysis
• Software Security

The post Software Security with the Founders of the Center for Secure Design appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• Cigital
• BSIMM
• Cigital on YouTube
• Gary McGraw
• Paco Hope
• Show 056 – An Interview with Sammy Migues
• Show 068 – An Interview with John Steven
• Show 085 – A Discussion with Jim Routh and Scott Matsumoto

The post The State of Software Security with Cigital’s Principals appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 99th episode of the Silver Bullet Security Podcast, Gary talks with Michael Hicks, professor Computer Science at the University of Maryland. In this episode, they discuss the Programming Language Design and Implementation (PLDI) conference, type safety, closure, dynamic languages, why C is problematic, and how Javascript is dangerous. They go on to discuss the role that cryptography plays in security, how ideas from Scrum influence the way Michael runs his research group, CMSC 838G (that is, “Software Security”), and the Build-it, Break-it, Fix-it Programming Contest. They close out their discussion with talk about drums and drumming.

• Michael Hicks
• PLDI 2014
• On-line patching & security
• CMSC 838G
• Build-it, Break-it, Fix-it Programming Contest
• Michael @ Programming Languages Enthusiast
• Ludwig Drums
• Silver Bullet Security Podcast: Greg Morrisett

The post the PLDI and Software Security with Michael Hicks appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• Professor Barton P. Miller
• Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed? (James A. Kupsch and Barton P. Miller)
• On Detecting Heartbleed with Static Analysis
• McGraw on Heartbleed shock and awe: What are the real lessons?
• Fuzz Testing
• Paradyn/Dyninst papers
• Dyninst
• Software Fault Injection
• Charlie Miller on Silver Bullet
• BSIMM
• Software Assurance Marketplace (SWAMP)
• Zuse

The post The Hype behind Heartbleed with Bart Miller appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• AaronBedra.com
• Aaron at LinkedIn
• Aaron at Github
• @abedra at Twitter
• Aaron at Google+
• Aaron Bedra – clojure.web/with-security
• Closure in programming languages
• Dynamic languages

The post The Development Side of Software Security with Aaron Bedra appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 96th episode of the Silver Bullet Security Podcast, Gary talks with Nate Fick, CEO of Endgame. Gary and Nate discuss the use of the term “cyber war” from the perspective of an ex-Marine, Nate’s time at the Center for a New American Security, the Estonia DDOS attack, and how Nate has turned around the perception of End Game. They close out their chat with some Leukemia cup smack talking.

• Nathanial Fick @ Endgame
• Nathanial Fick @ CNAS
• One Bullet Away
• Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security in AMERICA’S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND II, Center for a New Amercian Security (June 2011, PDF).
• Nathanial Fick @ Poetry Foundation

The post Show 096 – An Interview with Nate Fick appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 95th episode of the Silver Bullet Security Podcast, Gary talks with Charlie Miller, a computer security researcher with Twitter. They discuss Charlie’s history in finding security flaws in Apple products, hacking cars, and whether we’re past the bug whack-a-mole days. They close out their chat with Charlie’s official car hacking soundtrack.

• @0xcharlie
• Charlie Miller (Wikipedia)
• Adventures in Automotive Networks and Control Units [PDF]
• U.S. Gives Cybersecurity Advice to Critical Infrastructure Operators—But No Rules
• Detecting Car Hacks
• DEF CON 21 – Charlie Miller and Chris Valasek – Adventures in Automotive Networks and Control Units

The post Show 095 – An Interview with Charlie Miller appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 94th episode of the Silver Bullet Security Podcast, Gary chats with Ming Chow, lecturer at Tufts University School of Engineering’s Department of Computer Science. Gary and Ming discuss whether it’s better to start with security people or people that know how to code already when building new software security professionals. They also talk about what developers currently think of software security, what would make developers more likely to take security seriously, how Ming uses games to teach security to his students. They close out their chat with talk of obscure and not-so-obscure music.

• Ming Chow
• Falling Into You
• Ming on Github
• Ming on Twitter
• Exploiting Online Games
• Securing Online Games (jointly authored) [PDF]

The post Show 094 – An Interview with Ming Chow appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 93rd episode of the Silver Bullet Security Podcast, Gary chats with Yoshi Kohno, Associate Professor of Computer Science and Engineering at the University of Washington. Gary and Yoshi discuss how much impact academic security impacts commercial security, car hacking, whether it’s possible to get the media to cover good software security, and helping consumers understand privacy implications of popular products’ security designs. They close out their discussion with a McGraw family secret about The Night Before Christmas.

• Tadayoshi Kohno (Yoshi Kohno) at the University of Washington
• @yoshi_kohno
• Profile: Tadayoshi Kohno, NOVA scienceNOW
• Here’s the scariest part about the Internet of Things, Washington Post
• DeadDrop/Strongbox Security Assessment [pdf]
• Java Card Security: How Smart Cards and Java Mix, from Securing Java

The post Show 093 – An Interview with Yoshi Kohno appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 92nd episode of the Silver Bullet Security Podcast, Gary chats with Jon Callas, Chief Technology Officer at Silent Circle and all around crypto freedom fighter. Gary and Jon talk about the early days of computing, insanely early computer security, nascent crypto, PGP, Lavabit, Snowden, and what Silent Circle is doing to make secure comms actually work (rock on). Is that YOUR computer? They also chat briefly about software security and reality. Jon and Gary close out their discussion with some book talk.

• ARPANET
• Applied Cryptography by Bruce Schneier
• Lavabit
• Silent Circle
• BSIMM-V
• Dandelion Wine

The post The Early Days of Computing with Jon Callas appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 91st episode of the Silver Bullet Security Podcast, Gary talks with Caroline Wong, Cigital’s Director of Security Initiatives. Gary and Caroline discuss the newly-released BSIMM-V, the concept of “SSI (Software Security Initative) in a box,” the most successful metrics that Caroline has used throughout her career at eBay and other high-profile firms, and how to increase the number of women in computer science. They close out their discussion with talk of adult libations.

• Security Metrics: A Beginner’s Guide
• Executive Women’s Forum
• Cyber Security School Challenge
• BSIMM-V

The post A Breakdown of the BSIMM-V with Caroline Wong appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 90th episode of the Silver Bullet Security Podcast, Gary talks with Matthew Green, Assistant Research Professor at the Johns Hopkins Information Security Institute. Gary and Matt discuss the difference between theoretical cryptography and applied cryptography, the “On the NSA” blog post takedown scare, and the allegedly ‘backdoored’ Dual_EC_DRBG RSA/EMC random number generator. Gary ends by asking Matthew the same question he asked Avi Rubin back on the first episode.

• Matthew D. Green
• A Few Thoughts on Cryptographic Engineering (Matthew’s blog)
• On the NSA
• RSA warns developers not to use RSA products
• Software [in]security — software flaws in application architecture (September 10, 2013)
• Silver Bullet 001: Avi Rubin

The post Cryptography compared with Matthew Green appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 89th episode of the Silver Bullet Security Podcast, Gary chats with Mike Reiter, Lawrence M. Slifkin Distinguished Professor in the Department of Computer Science at the University of North Carolina at Chapel Hill. Gary and Mike discuss the differences and similarities between academic research and corporate research, the challenges of teaching computer security, and how to attract more women to the field of software security. They close out their discussion with some talk about mixed martial arts.

• Mike Reiter
• McGraw on technology transfer Technology Transfer: A Software Security Marketplace Case Study (IEEE Software, September/October 2011)
• McGraw on lessons learned when a startup eats your life Startup Lessons (October 22, 2009)
• UNC Computer Science
• The FindBugs static analysis tool
• Women in Technology
• Mike’s Ph.D. Students
• TC Boyle’s fiction
• Attiya and Welch on Distributed Systems

The post Academic vs. Corporate research with Michael Reiter appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 88th episode of the Silver Bullet Security Podcast, Gary talks with Christian Collberg, Ph.D., Associate Professor of Computer Science at the University of Arizona. Gary and Christian discuss what drew Christian to teaching Computer Security in the United States after living in several other countries, Christian’s book Surreptitious Software, Christian’s opinions on products that purport to offer software protection on mobile devices, and whether software security students should be taught to think like an attacker. They close out their talk with discussion of travel on planet Earth.

• Christian Collberg
• Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection
• AWL Software Security Security Series (edited by Gary McGraw)
• China Forces down US Spy Plane (2001)
• Exploiting Software (thinking like an attacker)
• The Undecidables

The post Teaching Security Globally with Christian Collberg appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 87th episode of the Silver Bullet Security Podcast, Gary chats with James Walden, Ph.D., Associate Professor of Computer Science at Northern Kentucky University. Gary and James discuss the progress being made in the field of software security, why there are plenty of top N lists for bugs but none for flaws, the difficulties of teaching how to fix code, the current generation’s outlook on privacy, and security metrics and measurement.

• James Walden, Ph.D.
• Software Security
• BSIMM
• Daft Punk
• The National
• Cat Power
• Dream Theater

The post Progression of Software Security with James Walden appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 86th episode of the Silver Bullet Security Podcast, Gary chats with Wenyuan Xu, Associate Professor in the Department of Computer Science and Engineering at the University of South Carolina. Gary and Wenyuan discuss the differences between American and Chinese technical culture, Wenyuan’s work on automatic meter reading systems, whether electrical engineering is more advanced in terms of design than computer science, and why there are so few women in engineering and computer science. They close out the episode with a discussion of tailgating.

• Wenyuan Xu
• Car tires contain technology making you vulnerable
• Security and Privacy Vulnerabilities of In-Car Wireless Networks
• Another Reason for “Smart” Electric Meters
• Pacemakers Could Be Hacked, Researchers Claim, But Not Easily
• Barbie I Can Be Computer Engineer Barbie Doll

The post Technical Culture across the Pacific with Wenyuan Xu appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• Trusted Computing and Computational Liberty
• John Steven on Mobile Security
• Securing Java (dancing pigs and native code risk)
• Exploiting Online Games
• Trusted on Busted

The post Show 085 – A Discussion with Jim Routh and Scott Matsumoto appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 84th episode of the Silver Bullet Security Podcast, Gary chats with W. Hord Tipton, Executive Director of (ISC)². Gary and Hord discuss how one gets into science and engineering when growing up in rural Tennessee, what insight being nuclear and chemical engineer gives Hord about modern control systems, whether or not certification can help advance software security, and the benefits of teaching software security to kids.

• (ISC)²
• (ISC)2 management team
• The World Is Flat 3.0: A Brief History of the Twenty-first Century by Thomas L. Friedman

The post Learning Science in the Country with Hord Tipton appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 83rd episode of the Silver Bullet Security Podcast, Gary talks with Mark Graff, CISO at NASDAQ OMX. Gary and Mark discuss what exactly a CISO does all day, how corporate security posture at NASDAQ compares to the security posture at Lawrence Livermore National Laboratory, Enrico Fermi and the piano tuners (the “Fermi problem”) and how it relates to estimation, and the most surprising cultural difference between the left and right coasts. They close out their conversation with talk about Mark’s favorite poem from the mid-19th century (and yet it still has a software security connection!).

• NASDAQ OMX
• Lawrence Livermore National Laboratory
• Congressional testimopny (video)
• Secure Coding: Principles and Practices
• BSIMM
• Video from LLNL
• Fermi problem
• Cyber War and Active Defense
• Dover Beach (poem)

The post Show 083 – An Interview with Mark Graff appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 82nd episode of the Silver Bullet Security Podcast, Gary talks with Kevin Fu, Associate Professor in the EECS Department at the University of Michigan. Gary and Kevin discuss finding advisors and picking a grad school, the security implications of embedded medical devices, malware in hospital systems, the consumer trend toward analyzing one’s own health data, and the difficulty of teaching design analysis to other humans. They close out the episode discussing lobster bisque.

• Kevin Fu and Grant Schoenebeck Join the Faculty of CSE @ Michigan
• Medical Device Security Center blog
• Health-care sector vulnerable to hackers, researchers say, Washington Post.
• FDA Software Patch Poster
• Hugo Campos fights to get his defibrillator data

The post Show 082 – An Interview with Kevin Fu appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 81st episode of the Silver Bullet Security Podcast, Gary talks with Steve Bellovin, Professor of Computer Science at Columbia University, currently on leave and acting as CTO of the Federal Trade Commission. Gary and Steve discuss how often academic research finds its way into the real world versus research that’s done in a commercial lab, how code has gotten better overall but how the threat model has changed, whether mobile security is just a repackaging of the same security problem we’ve been dealing with for years, the state of computer security in the government, the very first days of Usenet and the famed Evil Bit.

• Steven M. Bellovin
• Firewalls and Internet Security: Repelling the Wily Hacker by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin
• Encrypted Key Exchange
• Technology Transfer: A Software Security Marketplace Case Study (IEEE Software, September/October 2011) [PDF]
• TSA Pre
• Twitter and the FTC
• Usenet
• nn
• The Evil Bit RFC
• Permissive Action Link
• Steve drives a train

The post Show 081 – An Interview with Steve Bellovin appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 80th episode of the Silver Bullet Security Podcast, Gary talks with Thomas Rid, Reader in War Studies at King’s College London and a non-resident fellow at the Center for Transatlantic Relations in the School for Advanced International Studies, Johns Hopkins University, in Washington, DC. In this episode, Gary and Thomas discuss how Thomas’ life as a “wandering academic” influences his work at the War Studies Department, the inevitably (or otherwise) of cyber-war, attribution, and military dictionaries and the problem of jargon. They close out their chat talking about the Barbican cultural center.

• Thomas Rid
• Cyber War Will Not Take Place
• Proactive defense prudent alternative to cyberwarfare, SearchSecurity.com.
• Barbican

The post Show 080 – An Interview with Thomas Rid appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 79th episode of the Silver Bullet Security Podcast, Gary talks with Per-Olof Persson (a.k.a. Peo), head of Global Software Security Operations at Sony Mobile and Board member of Sony Corporation. Gary and Per-Olof discuss the importance of working different positions within the same company, Sony Mobile’s software security initiative, the political concerns of software security, and the cultural challenges of working with international teams. They close out the show with a discussion of American Presidential politics.

• Sony Mobile
• BSIMM4

The post Show 079 – Software Security Initiative at Sony with Per-Olof Persson appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 78th episode of the Silver Bullet Security Podcast, Gary talks with Jacob West, Director, Software Security Research for the Enterprise Security Products division of Hewlett-Packard and newly minted CTO. Gary and Jacob discuss HP’s acquisition of Fortify, the technical trade-offs that have to be made to allow a tool become widely adopted, BSIMM4, and mobile security. They close out their discussion covering the impossibility of growing good tomatoes in San Francisco.

• BSIMM4
• Fortify acquired by HP
• MOPS
• On using data to drive a scientific model – Cargo Cult Computer Security (January 28, 2010)
• BSIMM Community
• Secure Programming with Static Analysis
• Dancing Pigs and Security
• Jacob and gem’s foodie adventures

The post Show 078 – An Interview with Jacob West appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 77th episode of the Silver Bullet Security Podcast, Gary talks with Gary Warzala, CISO of Visa International. The Garys discuss what a CISO’s day-to-day job looks like, how companies can attract and retain good security employees, whether consumers need to understand the difference between software security and security software, and how one can measure security and discuss the results with upper management.

• Congress should encourage bug fixes, reward secure systems
• Verizon 2012 Data Breach Investigations Report [PDF]
• The Debt Bomb

The post Show 077 – An Interview with Gary Warzala appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 76th episode of the Silver Bullet Security Podcast, Gary chats with David Evans, Associate Professor of Computer Science at the University of Virginia. Gary and Dave discuss the founding of the Interdisciplinary Major in Computer Science (BA) at UVa and why a broad approach to Computer Science and Computer Security is a good idea, why data privacy gets short shrift in the United States, why people think (for no apparent reason) that their mobile devices are secure, groceries, David’s research on Secure Computation, and the Udacity project. They close out their discussion with a story about David’s trip to the World Cup in Korea and a choice between GEB and scheme.

• David Evans
• Jefferson’s Wheel, David’s blog
• Interdisciplinary Major in Computer Science
• Udacity
• Research Without Walls
• GEB
• Scheme
• World Cup Korea

The post Show 076 – An Interview with David Evans appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the landmark 75th episode of Silver Bullet, Gary talks with Howard Schmidt, former Cybersecurity Coordinator for the Obama administration. In this episode, Gary and Howard discuss the differences between doing security work in the public and private sectors, the difficulties of establishing cybersecurity in the government (especially when it comes to software security), the government’s involvement in cyberespionage, and how the actions of Anonymous and Wikileaks square with the notion of free speech. They close the episode out with talk about Harleys.

This special edition of Silver Bullet was also captured on video. View the video below (for those on feed readers, go to this episode’s page for the video):

• Howard Schmidt (Wikipedia)
• U.S. cybersecurity chief Howard Schmidt retiring
• White House cyber security coordinator Howard Schmidt joins Qualys

The post Show 075 – An Interview with Howard Schmidt appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 74th episode of The Silver Bullet Security Podcast, Gary talks for a second time with Bruce Schneier. They revisit Bruce’s prediction in episode 9 that insight into economics and security would help vendors sell their products more efficiently. In addition, they discuss Bruce’s new book Liars and Outliers: Enabling the Trust that Society Needs to Thrive, how far behind the government is in terms of security, cloud computing, and Uncle Milton’s ant farm.

• Bruce Schneier
• Applied Cryptography
• Liars and Outliers
• Silver Bullet Security Podcast, show 009 (December 2006) – Gary’s first chat with Bruce Schneier
• US cyber czar Howard Schmidt resigns
• Workshop on Economics and Information Security
• Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security in AMERICA’S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND II, Center for a New Amercian Security (June 2011).
• Prisoner’s Dilemma (Axelrod)
• Uncle Milton’s Ant Farm
• The Ugly Sweater Store
• Vintage Spirits and Forgotten Cocktails: From the Alamagoozlum to the Zombie 100 Rediscovered Recipes and the Stories Behind Them – Mixology

The post Show 074 – An Interview with Bruce Schneier appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 73rd episode of The Silver Bullet Security Podcast, Gary talks with Robert Vamosi, senior analyst with Mocana, freelance security reporter, and author of When Gadgets Betray Us. Gary and Robert discuss whether we’re doomed to idiocy as a species thanks to gadget dependency, why designers ignore security and privacy issues in gadget design. Finally, Gary and Robert discuss Robert’s use of the word “betray.”

• When Gadgets Betray Us
• Gary on Stuxnet
• With Or Without You

The post Show 073 – An Interview with Robert Vamosi appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 72nd episode of The Silver Bullet Security Podcast, Gary talks with Randy Sabett, a lawyer with the ZwillGen cyber-law firm in Washington, DC. Gary and Randy discuss Microsoft’s Zeus Botnet raid, alleged AT&T/NSA wiretapping, whether cyberlaw is full of loopholes, and if security always trades off against privacy and anonymity. They close out their discussion discussing the book Randy is currently reading.

• Microsoft and Financial Services Industry Leaders Target Cybercriminal Operations from Zeus Botnets, The Official Microsoft Blog.
• Microsoft Raids Tackle Internet Crime, The New York Times.
• Court Upholds 5th Amendment-based Refusal to Decrypt Hard Drive
• Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security in AMERICA’S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND II, Center for a New Amercian Security (June 2011).
• The Cuckoo’s Egg by Clifford Stoll
• Is time running out on the billable hour?
• The Singularity is Near by Ray Kurzweil

The post Show 072 – An Interview with Randy Sabett appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 71st episode of The Silver Bullet Security Podcast, Gary talks with Bill Arbaugh, Associate Professor of Computer Science at University of Maryland. Gary and Bill discuss how malware has evolved and changed over the last decade and how it’s affected software security practices, BIOS-based attacks, academia vs. startup, and why the NSA doesn’t play defense when it comes to cybersecurity.

• Bill Arbaugh @ UMD
• Microsoft Acquires Komoku
• Silver Bullet: Ross Anderson, show 13, show 70
• International Capture the Flag
• Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security in AMERICA’S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND II, Center for a New Amercian Security (June 2011).

The post Show 071 – An Interview with Bill Arbaugh appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

The 70th episode of The Silver Bullet Security Podcast is our first repeat performance. Gary chats a second time with Ross Anderson, Professor of Security Engineering at the Computer Laboratory at Cambridge University and author of the book Security Engineering. Ross was a guest on episode 13 of The Silver Bullet Security Podcast and is our first return guest. Gary and Ross discuss the latest developments in Trusted Computing, the iterated “Prisoner’s Dilemma” as an economic model and its relevance to computer security, information compartmentalization and Wikileaks, time and security, cyberwar versus cybercrime, and Stuxnet.

• Silver Bullet Show 013: Ross Anderson
• Transcript of episode 13 [PDF]
• Ross Anderson
• Trusted Computing FAQ
• Security Engineering – Ross’ groundbreaking book in print and online
• Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security in AMERICA’S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND II, Center for a New Amercian Security (June 2011).

The post Show 070 – An Interview with Ross Anderson appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 69th episode of The Silver Bullet Security Podcast, Gary talks with Steve Myers, Assistant Professor of Informatics and Computing in the School of Informatics at Indiana University and a member of the Center for Applied Cybersecurity. During this show, Gary and Steve discuss the gap between “real world” computer security and “academic” computer security, the problem of cryptography, whether it’s OK to use “the NASCAR effect” to draw students into security, and spear phishing.

• Steve Myers
• Center for Applied Cybersecurity
• The SEED Project (Developing Instructional Laboratories for Computer SEcurity EDucation)
• Why Mobile to Mobile Malware Won’t Cause a Storm [PDF], paper for USENIX ’11, with Nathaniel Husted
• Patrick Traynor
• Silver Bullet Show 020:­ An Interview with Markus Jakobsson
• Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, edited by Steve Myers and Markus Jakobsson
• “Spear phishing”
• Spirit of the West

The post Show 069 – An Interview with Steve Myers appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• John Steven Articles
• OWASP NoVA
• Software [In]security: Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal), InformIT.
• BSIMM
• “The Liberal”
• “The Old Fashioned”
• Silver Bullet: Elinor Mills

The post Show 068 – An Interview with John Steven appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 67th episode of The Silver Bullet Security Podcast, Gary talks with Bill Pugh, professor at the University of Maryland College Park. Gary and Bill discuss the Marmoset and FindBugs projects, how to teach kids to code and whether coding is an innate ability or is something that can be taught. They also geek out regarding Bill’s favorite programming languages for coding and teaching about coding. They also discuss the relationship between coding and fire eating.

• Bill Pugh
• Marmoset
• Dilbert minivan strip
• Find Bugs
• David Hovemeyer
• Cliff Click
• UMD: Fall 2011 CMSC 433 – Programming Language Technologies and Paradigms

The post Show 067 – An Interview with Bill Pugh appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 66th episode of The Silver Bullet Security Podcast, Gary chats with Shari Lawrence Pfleeger, Director of Research for the Institute for Information Infrastructure Protection at Dartmouth College. Gary and Shari discuss the difference between safety-critical software and security-critical software, why measuring software is hard (security notwithstanding), how to speed up tech transfer, and why there are so few women in computer science.

• Software Engineering: Theory and Practice, 4th edition
• Many media types live in the land of Twitter, but most regular people don’t by Monica Hesse in the Washington Post
• My Blackberry’s Not Working!, The One Ronnie
• The Hours by Michael Cunningham

The post Show 066 – An Interview with Shari Lawrence Pfleeger appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 65th episode of The Silver Bullet Security Podcast, Gary is joined by Giovanni Vigna, professor of Computer Science at UC Santa Barbara. They discuss DEFCON’s classic Capture the Flag contest as well as UCSB’s international version. They ponder how the notion of “build security in” might be integrated into a CTF-type contest. Gary and Giovanni also talk about Giovanni’s favorite course to teach, the challenge of communicating security issues with non-technical people, and the role of blackbox testing in security. They close out the show discussing how to teach a toddler to pick locks.

• Giovanni at UCSB
• Internatonal Capture the Flag
• Building Versus Breaking: A White Hat goes to Blackhat

The post Show 065 – An Interview with Giovanni Vigna appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 64th episode of The Silver Bullet Security Podcast, Gary chats with Markus Schumacher, co-founder and CEO of Virtual Forge. Gary and Markus discuss the difference between working for a large corporate and a startup, why Virtual Forge built a code scanning tool for SAP’s ABAP code, whether security people understand the notion of security patterns, and Markus’ favorite beverage in Heidelberg.

• Virtual Forge
• Security Patterns, the site
• Security Patterns, the book
• Technology Transfer: A Software Security Marketplace Case Study, (IEEE Software, September/October 2011)
• Print Media Lounge
• Recipe for a Liberal (the drink)

The post Show 064 – An Interview with Markus Schumacher appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• Dr. Craig Miller
• MAPA Group
• SAIC
• Smart grid
• NRECA
• NERC
• Continuous improvement
• On the Waterfront

The post Show 063 – An Interview with Craig Miller appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 62nd episode of The Silver Bullet Security Podcast, Gary chats with Halvar Flake (a.k.a. Thomas Dullien), founder of reverse engineering consultancy, Zynamics, which was recently purchased by Google. Gary and Halvar discuss the acquisition, Zynamics’ product BinDiff, whether the “bad guys” are using code understanding tools (including decompilers) better than developers, static versus dynamic analysis, international politics meets computer security, and the growing complexity of malware. They close out with a discussion of music.

• ADD / XOR / ROL – Halvar’s blog
• @halvarflake
• Cyber Warmongering and Influence Peddling (November 24, 2010)
• Google’s purchase of Zynamics
• BinDiff
• Silver Bullet #41: Fred Schneider
• Silver Bullet #46: David Rice

The post Show 062 – An Interview with Halvar Flake appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 61st episode of The Silver Bullet Security Podcast, Gary talks with Carl Landwehr, Director of Trustworthy Computing at the National Science Foundation and a Senior Research Scientist at the Institute for Systems Research within the University of Maryland. Gary and Carl discuss the most important changes in information security that have developed over the course of Carl’s career, the academic perspective of the state of commercial computer security, how to balance security and privacy, and the reason behind the leaking of government documents to Wikileaks. They close out the episode discussing books.

• National Science Foundation
• Silver Bullet #46: David Rice

The post Show 061 – An Interview with Carl Landwehr appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 5th anniversary, 60th episode of The Silver Bullet Security Podcast, Gary talks with Neil Daswani, CTO and co-founder of Dasient. Gary and Neil discuss Neil’s previous work at Google and how the “start-up like” atmosphere at Google compares with an actual start-up. They also discuss bad ads (aka malvertising), Clickbot.A, the software security related emphasis on testing at Google, and sushi in San Jose.

• Neil Daswani
• Dasient Q4 2010 Malware Update
• Certifiable, McGraw on Software Security Certification for darkreading (May 9, 2007)
• The Anatomy of Clickbot.A [PDF]
• Stanford Advanced Security Certification Program
• Tomo Sushi

The post Show 060 – An Interview with Neil Daswani appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the bonus-length 59th episode of The Silver Bullet Security Podcast, Gary chats with Ralph Langner, Founder and CEO of Langner Communications. Langer Communications is a German company specializing in control systems security. Ralph was the first to determine that Stuxnet is a directed cybersecurity attack against the kinds of Siemens control systems used to control nuclear centrifuges in Iran. Gary and Ralph discuss what’s involved in introducing the concept of cybersecurity to control systems engineers, how anti-virus vendors originally responded to the Stuxnet, as well as plenty of detailed technical info about the worm with an emphasis on its payload.

• Langner Communications
• Stuxnet
• Software [In]security: How to p0wn a Control System with Stuxnet
• Software [In]security: Cyber Warmongering and Influence Peddling
• Israeli Test on Worm Called Crucial in Iran Nuclear Delay (New York Times)

The post Show 059 – An Interview with Ralph Langner appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 58th episode of The Silver Bullet Security Podcast, Gary talks with John Savage, professor of Computer Science at Brown University and Jefferson Science Fellow for the State Department. Gary and John discuss whether Wikileaks is a terrorist organization, if the use of a cyber-weapon like Stuxnet can be a morally justified act, and the implications of computational nanotechnology on cybersecurity.

• John Savage at Brown University
• Jefferson Science Fellow: Dr. John Savage
• International Telecommunication Union
• Silver Bullet #49: Ivan Arce
• The Girl with the Dragon Tattoo
• Homomorphic Encryption

The post Show 058 – An Interview with John Savage appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 57th Silver Bullet Security Podcast, Gary talks with Elinor Mills, senior writer at CNET’s news.com. At CNET, Elinor covers Internet technology and security. Gary and Elinor discuss how writing about technology for news organizations has changed over the last 20 years, how technology adoption in Portugal differs from the States, WikiLeaks and the First Amendment, avoiding FUD when covering a breaking news story about security, and Burning Man. They close the episode with a brief discussion of Elinor’s favorite books.

• Elinor at CNET
• Insecurity Complex – Elinor’s blog
• Elinor on Twitter
• Drama in the Desert: Sights and Sounds of Burning Man / Raised Barn Press
• Demilitarizing cybersecurity (Q&A)
• How to p0wn a Control System with Stuxnet
• Intellus
• Reputation Defender
• Eating Animals
• The Corrections

The post Show 057 – An Interview with Elinor Mills appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 56th Silver Bullet Security Podcast, Gary sits down with Sammy Migues, Principal and Director of Knowledge Management at Cigital. Gary and Sammy discuss how Sammy’s southern upbringing affects his approach to security, his experience speaking to the National Rural Electric Cooperative Association, the advantages of defensive programming versus “the bug parade” and the BSIMM. They close the show out discussing bourbon. As a bonus, Sammy may be the first person to ever use the phrase “flips my bogometer” on a podcast.

• BSIMM
• Trusted Computer System Evaluation Criteria – aka “The Orange Book”

The post Show 056 – An Interview with Sammy Migues appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 55th Silver Bullet Security Podcast, Gary chats with Deborah Frincke, Chief Scientist, Cybersecurity at Pacific Northwest National Laboratory. Gary and Deb discuss the differences between being a professor and a researcher, whether a professional certification is better than an academic degree, and how a woman’s reasons for getting into the computer security field may differ from a man’s. They close out the episode by talking flowers.

• Deborah Frincke on Twitter
• Software [In]security: Technology Transfer, informIT
• Pacific Northwest National Labs
• University of Idaho Computer Science
• University of Idaho Center for Secure & Dependable Systems
• NSA National Centers of Academic Excellence
• Orchidaceae

The post Show 055 – An Interview with Deborah Frincke appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 54th Silver Bullet Security Podcast, Gary talks with Dr. Marc Donner, engineering director for Google Health and Google Finance. Gary and Marc discuss science-fiction books from the last decade, why Americans like to talk about cyberwarfare, and security issues and privacy concerns as related to Google Health initiatives. They finish up their discussion by talking about the Syrup Wars.

• Marc Donner
• hacks from the bleeding edge (Marc’s blog)
• Iron Sunrise, Singularity Sky

The post The Decades Science Fiction with Marc Donner appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 53rd episode of The Silver Bullet Security Podcast, Gary interviews Richard Bejtlich, Director of Incident Response for General Electric and Principal Technologist for GE’s Global Infrastructure Services division. They discuss whether it’s better to look for known problems or anomalies when performing network security monitoring, how to explain security incidents to “business guys,” the notion of “building visibility in,” and the difference between working as an independent consultant in a very small shop and working in a large corporation.

• TaoSecurity blog
• Silver Bullet #19: Mikko Hyppönen
• Silver Bullet #41: Fred Schneider

The post Network Security Best Practices with Richard Bejtlich appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 52nd episode of The Silver Bullet Security Podcast, Gary chats with Paul Kocher, President and Chief Scientist of Cryptography Research. Gary and Paul discuss the first system that Paul ever broke, whether engineers and architects need to think like the “bad guys” or not, the decision to put content protection on Blu-Ray discs rather than the player, and whether P=NP.

• Cryptography Research (Paul @ Cryptography Research)
• How Crypto Won the DVD War
• Macrovision to Acquire Blu-ray Disc Security Technology from Cryptography Research, Inc. (press release)
• P versus NP problem

The post A Breakdown of Security Analysis with Paul Kocher appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 51st episode of The Silver Bullet Security Podcast, Gary talks with former co-worker Dr. Anup Ghosh. Anup has authored three books on e-commerce security and over 40 peer-reviewed articles and is founder and chief scientist of Invincea. Gary and Anup discuss the difference between working in a startup and in government research, why antivirus doesn’t work against the ZeuS botnet and what businesses should do to protect themselves, and the relevance of the desktop in the future of computing. They close out with a discussion about Anup’s favorite newspapers and recent books.

• Invincea
• Anup’s books on Amazon
• Advanced Technology Program
• Why Patching Isn’t Enough

The post Startup versus Government Research with Anup Ghosh appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

This special edition of Silver Bullet was also captured on video. View the video below (for those on feed readers, go to this episode’s page for the video):

• 9/11 Commission Report
• What if the smart grid has stupid security?
• Select TV appearances: The Daily Show (2008) / The Colbert Report (2007) / The Colbert Report (2005) / 60 Minutes (2004)

The post Lacking Defense in Cyber War with Richard Clarke appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 49th episode of The Silver Bullet Security Podcast, Gary talks with Ivan Arce, co-founder and CTO of Core Security Technologies. Gary and Ivan discuss whether teaching builders to think like attackers is worthwhile, how living in Argentina both helps and hinders a career in computer security, the current state of embedded systems attacks, and Ivan’s ongoing disagreement with Microsoft about Virtual PC vulnerabilities. They close things out with a discussion of science fiction books and whether scotch trumps bourbon.

• Core Security Technologies
• Security vulnerability in Microsoft’s Virtual PC
• Assume Nothing: Is Microsoft Forgetting a Crucial Security Lesson?
• SiSU manifest of document filetypes and metadata

The post Imitating the Attackers Prespective with Ivan Arce appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 48th episode of The Silver Bullet Security Podcast, Gary interviews Andrew Jaquith, senior analyst at Forrester. Gary and Andy discuss how security has become overrun by compliance in the biggest change to corporate security in 15 years, the battle between social networking technology use in the workplace (think Twitter, Facebook, AIM…) and security, security metrics (or lack of such), and Andy’s latest musical find.

• Andy on Twitter
• Data Security Predictions For 2010 (December 02, 2009)
• Know Your Code: How Static Analysis Tools Make Applications More Secure (November 20, 2009)
• BSIMM
• @stake
• Security Metrics: Replacing Fear, Uncertainty, and Doubt
• S/MIME
• Silver Bullet #26: Adam Shostack

The post Changes in Security Compliance with Andrew Jaquith appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 47th episode of The Silver Bullet Security Podcast, Gary calls in from Leuven, Belgium to chat with childhood friend and security expert Greg Morrisett. Greg is the Allen B. Cutting Professor of Computer Science and Associate Dean for Computer Science and Engineering in the School of Engineering and Applied Sciences at Harvard University. Gary and Greg discuss the relationship between security and programming languages, why the choice of a good programming language (and/or VM) is more important than code review, sensor networks and security, information control, and Gary and Greg’s most embarrassing moment from adolescence.

• Greg Morrisett
• The Center for Research on Computation and Society
• Ynot
• RoboBees
• GoNative

The post Security’s need for Languages with Greg Morrisett appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the bonus-length 46th episode of The Silver Bullet Security Podcast, Gary talks with David Rice, Executive Director of the Monterey Group and author of Geekonomics: The Real Cost of Insecure Software. Gary and David discuss David’s involvement with Infowar at the Naval Postgraduate School and how it impacted his thinking about software, the recent Chinese cyberattack on Google, what incentives exist to create and apply software security best practices, how users may be mistaking marketing for security, and the SANS WhatWorks in Application Security Summit. They close out by discussing unusual yoga positions.

• Silver Bullet #41 – Fred Schneider
• Silver Bullet #11 – Dorothy Denning
• Software Security Comes of Age (InformIT) – on the growth of the software security space
• Google Defends Against Large Scale Chinese Cyber Attack
• BSIMM

The post A Look Inside Infowar with David Rice appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 45th episode of The Silver Bullet Security Podcast, Gary chats with Lorrie Cranor, Associate Professor of Computer Science and Engineering and Public Policy at Carnegie Melon University. Gary and Lorrie discuss how everyday people think about privacy and what we can do to get them to care about it, the relationship between trust and privacy, and why the US is lagging behind the EU on privacy-related issues. They close out the discussion by talking about women in computing.

• Lorrie Cranor
• Security and Usability: Designing Secure Systems That People Can Use
• Web Privacy with P3P
• CyLab Usable Privacy and Security Laboratory (CUPS)
• A “Nutrition Label” for Privacy
• Google search privacy video

The post The Common Disregard for Privacy with Lorrie Cranor appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 44th episode of The Silver Bullet Security Podcast, Gary talks with Steve Kent, Chief Scientist – Information Security, for BBN Technologies, a division of Raytheon. Gary and Steve discuss the history of network security, secure transport and base Internet protocols, the role of politics in the adoption of security on the Internet, applied cryptography, and whether security and individual liberty co-exist. They finish by discussing extremely high end wine.

• Internet’s Biggest Security Hole
• Securing the Border Gateway Protocol (PPT)

The post The History of Network Security with Steve Kent appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 43rd episode of The Silver Bullet Security Podcast, Gary chats with Christofer Hoff, Director of Cloud and Virtualization Solutions at Cisco. Hoff is well known for his colorful blog posts and presentations on cloud security and other complex security issues. Suffice it to say, the cloud was a big topic for this issue. And rum.

• Rational Survivability
• The Frogs Who Desired a King: A Virtualization & Cloud Computing Fable
• Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure
• Mount Gay Extra Old Rum (Gary’s favorite)
• Ron Zacapa Centenario Rum (Hoff’s favorite)

The post The Hype behind Cloud Security with Chris Hoff appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 42nd episode of The Silver Bullet Security Podcast, Gary chats with Gillian Hayes, Assistant Professor in Informatics at the Bren School of Information and Computer Sciences at UC Irvine. Gary and Gillian discuss how much people really need to know about security going on behind the scenes, how usability affects the health records security, whether or not surveillance changes how 20-somethings act in public (including on the net), and how having more women technologists positively impacts the humanization of technology.

• Transcript of this episode [PDF]
• Gillian Hayes
• Ben Shneiderman
• National Center for Women and Information Technology
• The Discovery of Heaven

The post Informatics and Health Security with Gilian Hayes appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 41st episode of The Silver Bullet Security Podcast, Gary talks with Fred Schneider, Samuel B. Eckert Professor of Computer Science at Cornell University and author of Trust in Cyberspace. On the show, Gary and Fred discuss the relationship between security and reliability, diversity as a security mechanism, and the continuum of attack categories from configuration problems, to bugs, to flaws, to trust issues. Fred briefly discusses Pointillism at the end of the show.

• Transcript of this episode [PDF]
• Fred B. Schneider
• IEEE Security and Privacy 7, 1 (January/February 2009) [PDF], 14–17. With Ken Birman.
• Trust in Cyberspace
• Pointillism (Seurat)

The post Security vs. Reliability with Fred Schneider appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

For the 40th episode of The Silver Bullet Security Podcast, Gary interviews Bob Blakley, VP and research director of The Burton Group’s Identity and Privacy Strategies. Gary and Bob discuss the importance of liberal arts degrees, the (over) complications of CORBA security, whether computer security requires a complete shift in approach, cybersecurity and governments, and the movie Perils in Nude Modeling (really).

• Transcript of this episode [PDF]
• Ceci n’est pas un Bob – Bob’s blog
• CORBA Security: An Introduction to Safe Computing with Objects
• NDSS’98 Trust Management Panel: LE NOZZE DI NOMEN [PDF] – The NDSS “wedding script”
• Moving U.S. Cybersecurity Beyond Cyberplatitudes
• Perils in Nude Modeling

The post Comparing Security Models with Bob Blakley appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

For the 39th episode of The Silver Bullet Security Podcast, Gary chats with Matt Blaze, Associate Professor of Computer and Information Science at the University of Pennsylvania. Gary and Matt start the show off discussing the Obama administration’s “cyber coordinator” plan and the large number of cyber plans that are never cyber realized. They also discuss key escrow, warrantless wiretapping, the responsibility we have to stay engaged with issues surrounding individual liberty and privacy, and the similarities between physical locks and computer security. Matt’s musical tastes are also briefly touched on.

• Matt Blaze
• Matt Blaze – Wikipedia
• Matt Blaze’s Exhaustive Search – Matt’s blog
• Safecracking, Secrecy and Science
• Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks – IEEE Security & Privacy, March/April 2003
• RSA panel on Surveillance
• Silver Bullet 11: Dorothy Denning
• Trust Management
• Signaling Vulnerabilities in Wiretapping Systems – IEEE Security & Privacy, November/December 2005, by M. Sherr, E. Cronin, S. Clark and M. Blaze.
• Eno/Byrne: Everything That Happens Will Happen Today

The post “Cyber Coordinator” defined with Matt Blaze appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

For the 38th episode of The Silver Bullet Security Podcast, Gary talks privacy with Kay Connelly, Associate Professor of Computer Science at Indiana University and Senior Associate Director of IU’s Center for Applied Cybersecurity Research. Gary and Kay discuss why in situ usability study is important, the E.T.H.O.S. living lab (including the “presence clock” and the portal monitor), and Kay’s advice to women interested in pursuing a career in computer science.

• Kay Connelly
• E.T.H.O.S. – Ethical Technology in the Homes of Seniors
• Crafting a Smarter, Gentler Cell Phone – NPR story featuring Kay Connelly
• Silver Bullet #7: John Stewart
• Silver Bullet #15: Annie Antón
• HIPAA
• The Song Is You: A Novel by Arthur Phillips
• I Was Told There’d Be Cake by Sloane Crosley

The post The Importance of In-Situ Usability with Kay Connelly appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 37th episode of The Silver Bullet Security Podcast, Gary interviews Virgil Gligor, Professor at Carnegie Mellon University in the Department of Electrical and Computer Engineering and co-director of CyLab. Gary and Virgil discuss how information security has changed over the last 35 years, why software security will be with us forever, and how Virgil’s childhood in Romania has shaped his views on security. They close out with a discussion of Virgil’s breakfast-eating habits.

• Virgil D. Gligor (@ Carnegie Mellon)
• CyLab
• Electrical and Computer Engineering at Carnegie Mellon University
• Building a Secure Computer System
• Foreign Intelligence Surveillance Act
• Software Security Comes of Age
• RSA panel to discuss surveillance, privacy concerns
• Computer Security: Art and Science by Matt Bishop
• Towards a Theory of Penetration-Resistant Systems and its Applications (1991)

The post Changes and Immortality of Security with Virgil Gilgor appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

We switch things up for this special third anniversary episode of Silver Bullet. This time around, Gary is the victim, being interviewed by James McGovern, Enterprise Architect for The Hartford Financial Services Group, Inc. and OWASP maven. Gary and James discuss the recently released Building Security In Maturity Model, how companies with Software Security Groups retain their best and brightest, Microsoft’s trustworthy computing initiative/SDL program, and what less expensive tools small organizations with only a few developers can use.

• Transcript of this episode [PDF]
• Enterprise Architecture: From Incite comes Insight… – James McGovern’s blog
• Gary McGraw’s site
• Software Security: Building Security In
• Building Security In Maturity Model (BSIMM)
• Gartner releases paper on Static Analysis – James’ blog entry on Gartner

The post The Birth of the BSIMM with Gary McGraw appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 35th episode of The Silver Bullet Security Podcast, Gary talks with Daniel Suarez, independent consultant and author of Daemon, a new techno-thriller about a gamer that reaches from beyond the grave to declare a war on all of humanity. They talk about Daniel’s new book and the movie options attached to it, the use of MMORPGs and flash mobs for nefarious means in the form of a distributed emergent attack, the current state of AI, and the follow-up to Daemon, Freedom ^TM.

• Daemon
• Al-Qaeda in Second Life
• Distraction by Bruce Sterling
• Halting State by Charles Stross
• Bot-Mediated Reality at the Long Now Foundation
• Wired for War by P.W. Singer

The post Computer Security within Daemon with Daniel Suarez appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 34th episode of The Silver Bullet Security Podcast, Gary interviews Bill Brenner, senior editor at CSO Online and CSO Magazine. Gary and Bill discuss how delivering the security message changes based on the audience (executives versus geeks and CSO’s versus CIO’s), the much-exaggerated death of print media, and balancing headline-grabbing sensationalism with solid security business coverage. They close out their interview with a discussion of Bill’s favorite period of history.

• Bill Brenner on LinkedIn
• Bill Brenner on Facebook
• Security Wire Weekly
• 1 Raindrop – Gunnar Peterson’s blog.
• Silver Bullet interviews with Jon Swartz, USA Today, Dennis Fisher, Tech Target, and Jeremiah Grossman, Whitehat

The post Show 034 – An Interview with Bill Brenner appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 33rd episode of The Silver Bullet Security Podcast, Gary talks with Laurie Williams, Associate Professor of Computer Science at North Carolina State University. Gary and Laurie discuss Laurie’s nine years at IBM, Agile’s adoption in the commercial space, XP and software security, and what changes Laurie would make to the standard computer science curriculum to better prepare students.

• Laurie Williams
• Empirical Software Engineering
• Protection Poker tutorial
• Is Complexity Really the Enemy of Software Security? [PDF]
• Silver Bullet interview with Adam Shostack
• Law of Attraction audiobook

The post Show 033 – An Interview with Laurie Williams appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

The 32nd episode of The Silver Bullet Security Podcast features founder and Chief Technology Officer of WhiteHat Security, Jeremiah Grossman. Gary and Jeremiah discuss clickjacking, cross-site request forgery, why 50% of web problems can’t be discovered reliably automatically, and which conferences Jeremiah most enjoyed on his 2008 world tour.

• Clickjacking
• Adobe 0-day Browser Exploit
• Web application scan-o-meter
• The “Wall of Fame”

The post Show 032 – An Interview with Jeremiah Grossman appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 31st episode of The Silver Bullet Security Podcast, Gary talks with Matt Bishop, professor of Computer Science at UC Davis and author of the book Computer Security: Art and Science as well as many peer-reviewed papers. Gary and Matt discuss Matt’s plan to work security analysis and secure coding into a wider computer science cirriculum, Matt’s early work with Mike Dilger on TOCTOU, whether or not progress is being made in the field of software security, and the role of training in large-scale software security initiatives. Their chat closes with a mention of Matt’s home menagerie (which does not include any one-legged chickens at this time).

• Matt Bishop
• IEEE Security & Privacy Magazine
• Computer Security: Art and Science
• Silver Bullet Security Podcast interview with Dorothy Denning
• Secure Computer Systems: Mathematical Foundations – The Bell Lapadula model [PDF]
• Secure Computer System: Unified Exposition and Multics Interpretation [PDF]
• Testing C Programs for Buffer Overflow Vulnerabilities – Eric Haugh, Matt Bishop [PDF]
• TOCTOU
• Checking for Race Conditions in File Accesses by Matt Bishop and Michael Dilger
• “The Song of the One Legged Chicken”

The post Show 031 – An Interview with Matt Bishop appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 30th episode of The Silver Bullet Security Podcast, Gary talks with Ken van Wyk, principal and founder of KRvW Associates. Ken was the first employee of CERT and has been an active member of FIRST. Ken and Gary discuss why the discipline of computer science doesn’t learn from failure like mechanical engineering does, how we’re making steps backwards in computer security, whether focusing on web applications is a good or bad thing for software security, and Ken’s recommendation for moderately-priced red wines.

• Ken’s personal page
• KRvW Associates
• CERT
• FIRST
• Secure Coding
• Incident Response
• SC-L mailing list
• TJX’s stock increase since the January 2007 security breach
• The Addison-Wesley Software Security Series
• Barbera D’Asti wines

The post Show 030 – An Interview with Ken van Wyk appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 29th episode of The Silver Bullet Security Podcast, Gary talks with Dennis Fisher, executive editor of The Security Media Group at TechTarget. Dennis helps run SearchSecurity.com and Information Security Magazine. Gary and Dennis discuss the current “BS factor” in security journalism, shopping at TJ Maxx right after the TJX privacy breach, the state of software security, and which is harder: being a fry cook at Hardees or working as a PR flack.

• Dennis’ blog
• TJX
• Software Security Grows
• Dennis’ un-named podcast
• Series of Tubes
• Hardees

The post Show 029 – An Interview with Dennis Fisher appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 28th episode of The Silver Bullet Security Podcast, Gary interviews Bill Cheswick, a lead member of technical staff at AT&T Research and all around security guru. Bill has been working in computer security for over 35 years. He coined the term “proxy” in 1990 with reference to firewalls, and co-authored the book Firewalls and Internet Security which was used to train an entire generation of sys admins. Gary and Bill discuss whether we’re winning or losing the computer security war, how security threats have evolved from pimply-faced teenagers to organized crime, whether we should move security into “the cloud,” and whether re-naming “Christmas lights” to “solstice lights” would bypass NJ holiday decoration ordinances.

• AT&T Research
• Lumeta
• FWIS
• “The Design of a Secure Internet Gateway” (Usenix 1990, coining of “proxy”)
• The Apache web server
• Turtles all the Way Down
• Ed Amoroso’s Silver Bullet Podcast (use blink test to compare)

The post Show 028 – An Interview with Bill Cheswick appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 27th episode of The Silver Bullet Security Podcast, Gary interviews software security expert Gunnar Peterson, a Managing Principal at Arctec Group. Gary and Gunnar begin with the age-old question, “What is security?” They go on to discuss how Web 2.0 and SOA security is progressing, the big idea behind “federated identity,” whether all market verticals can follow the software security lead of the financial services industry, and the inherent badness of the color purple.

• Transcript of this episode [PDF]
• Gunnar’s Blog
• informIT (Securing Web 3.0)
• Metricon 3.0
• Butler Lampson on Security
• Federated Identity
• Ping Identity
• Gerald Weinberg
• Verizon Business Security: Patching Conundrum

The post Show 027 – An Interview with Gunnar Peterson appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon.

(Beginning with this episode, Silver Bullet will be available as a 192k MP3.)

• Emergent Chaos blog
• The New School of Information Security
• Microsoft’s SDL
• Wassily Kandinsky
• The CardSystems breach (2005)
• Thomas Pynchon

The post Show 026 – An Interview with Adam Shostack appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Jon Swartz, USA Today‘s award-winning technology reporter and Pulitzer Prize nominee, is Gary’s guest on the 25th episode of The Silver Bullet Security Podcast. They discuss Jon’s new book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity and the research that went into writing it. Gary and Jon also cover how cybercrime is driven by capitalist principals, why the general public’s attitude is so lax about software security, and how, even though it’s hard to get an accurate count of identity theft instances, they tend to show a sharp upward trend. Jon ends the episode by disclosing his secret dream career.

(Apologies for the below-average sound quality on this episode.)

• Transcript of this episode [PDF]
• Jon’s USA Today articles

The post Show 025 – An Interview with Jon Swartz appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Oracle Chief Security Officer Mary Ann Davidson is the guest on the 24th episode of The Silver Bullet Security Podcast. Gary and Mary Ann discuss how an MBA helps in the CSO role, Oracle’s “Unbreakable” campaign, why everyone needs training in secure coding, and how military history informs computer security. They also talk about how a young CSO-to-be got her first library card.

• Mary Ann Davidson’s blog
• Lone Survivor

The post Background Behind a CSO with Mary Ann Davidson appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 23rd episode of The Silver Bullet Security Podcast, Gary talks with Chris Wysopal, founder and CTO of Veracode and author of The Art of Software Security Testing. Chris was one of the seven original members of the L0pht hacker collective (operating under the hacker handle Weld Pond) and later went on to work for @stake. Gary and Chris reminisce about L0pht (and the warehouse full of stuff) and discuss the role of security researchers now versus in the mid-late ’90s. They also talk about the current state of the software security market and its continued growth.

• Chris’ Wikipedia entry
• The Art of Software Security Testing
• Veracode
• L0pht Heavy Industries

The post The Growth of Software Security with Chris Wysopal appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 22nd episode of The Silver Bullet Security Podcast, Gary interviews Ed Amoroso, Chief Information Security Officer of AT&T. They discuss how Peter Neumann influenced Ed, the difference between bugs and flaws and whether bugs are getting too much attention, the propensity for confusion around how security actually works, privacy, security, and monitoring, and software correctness/quality vs software security. They also discuss the Hugh Thompson show now airing on AT&T’s Tech Channel.

• Transcript of this episode [PDF]
• Cyber Security
• Fundamentals of Computer Security Technology
• Silver Bullet Interview with Peter Neumann

The post Software Security Behind AT&T with Ed Amoroso appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

• Transcript of this episode [PDF]
• Justice League blog
• OWASP Top 10 for 2007
• OWASP
• The Shmoo Group

The post Show 021 – A Panel Discussion with Cigital’s Principals appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

For the landmark 20th episode of The Silver Bullet Security Podcast, Gary interviews Markus Jakobsson, soon to be a reseacher at PARC after a stint as an Associate Professor of Informatics and associate director of the Center for Applied Cybersecurity Research at Indiana University. Gary and Markus discuss the difference between academic and corporate research, the idea of “perfect privacy,” moving from hardcore cryptography to sociology, how reality is mimicking phishers, and how cartoons can be used to teach security. In addition, Markus mentions the best place in Southeast Asia to get a haircut.

• Markus @ Wikipedia – he’s “orphaned”!
• RavenWhite
• Crimeware

The post Show 020 – An Interview with Markus Jakobsson appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

For the 19th episode of The Silver Bullet Security Podcast, Gary interviews Mikko Hyppönen, Chief Research Officer at F-Secure. During this show, Gary and Mikko discuss Helsinki and Finnish pronunciation, whether mobile viruses are all hype or a legitimate threat, if the iPhone as a closed system is good or bad for security, and Mikko’s prediction for the appearance of the first mobile botnet. They also chat about Finnish hip-hop.

• Transcript of this episode [PDF]
• Mikko Hyppönen
• Mikko Hyppönen– Wikipedia
• F-Secure
• Mobile Malware – Mikko’s USENIX 2007 talk, both audio and video (scroll down a bit)
• Xevious
• The FSMCs

The post The Legitimacy of Mobile Viruses with Mikko Hyppönen appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 18th episode of The Silver Bullet Security Podcast, Gary talks with Dr. Eugene Spafford, better known as “Spaf.” Spaf is a professor of computer science and Electrical and Computer Engineering at Purdue University and executive director of the Center for Education and Research in Information Assurance and Security (CERIAS). On this episode, Gary and Spaf discuss the role of software testing in computer security, commercial certifications and whether they obviate the need for academic training, how Spaf feels about so-called “ethical hacking,” and why auditing and compliance is an area of emerging specialization.

• Transcript of this episode [PDF]
• Dr. Eugene Spafford
• Spaf’s blog at CERIAS
• Gene Spafford – Wikipedia
• CERIAS – Center for Education and Research in Information Assurance and Security
• PITAC – President’s Information Technology Advisory Committee
• What did you really expect? – Spaf’s post on “reformed hackers”
• The Internet Worm Program: An Analysis
• Yucks Digest

The post The Importance of Software Testing with Eugene Spafford appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 17th episode of The Silver Bullet Security Podcast, Gary talks with Eric Cole, CEO of Secure Anchor. Eric has written seven books on computer security, including books on steganography and network security. Gary and Eric discuss how to demostrate security ROI in different types of organizations (ranging from government to corporate), the academic approach to security versus practitioner certification models, and what kinds of training makes for good network security practitioners. They also discuss the difficulty of certifying software developers.

• Secure Anchor
• Security Haven
• Stego-marking packets to control information leakage on TCP/IP based networks – Eric’s dissertation

The post The ROI of Computer Security with Eric Cole appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 16th episode of The Silver Bullet Security Podcast, Gary talks with Greg Hoglund, who runs the popular rootkit.com, CEO of HB Gary, and co-author of Rootkits: Subverting the Windows Kernel and Exploiting Software. In addition to shameless self-promotion of their new book, Exploiting Online Games, Gary and Greg discuss the natural tendency of certain types of code to allow exploits, how disclosure is a good thing when it comes to revealing exploits, and the use of rootkits by the “good guys.” Greg also makes us concerned that his 11-year-old daughter may 0wn our box.

• HB Gary
• Exploiting Online Games
• AWL Software Security Series

The post Understanding Exploits with Greg Hoglund appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 15th episode of The Silver Bullet Security Podcast, Gary interviews Annie Antón, Associate Professor of Software Engineering at North Carolina State University and director of theprivacyplace.org. During their discussion, Annie and Gary focus on privacy. They start with an attempt to define what “privacy” is in the digital world, moving on to Annie’s work with The Privacy Place. Annie also discusses airlines’ pretty much pitiful privacy policies, the impact that a Google/Doubleclick deal would have on consumer privacy, crazy talk in EULAs, and the book Letters to a Young Catholic (which has nothing to do with privacy).

• Annie I. Antón
• The Privacy Place
• The ChoicePoint Data Security Breach

The post Data Privacy Defined with Annie Antón appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

The 14th episode of The Silver Bullet Security Podcast features Peter Neumann, designer of the Multics OS file system, moderator of comp.RISKS, and Principal Scientist at the SRI Computer Science Laboratory. In this show, Gary and Peter discuss the most important changes in computer security since the 1960s, the discipline involved in early Multics engineering (“nodody writes a line of code without the approving authorities [having] read and understood the specification”), why DRM is the “wrong solution to the wrong problem,” and who was more interesting to meet: Albert Einstein or Norah Jones.

• Peter Neumann
• comp.RISKS
• Computer-Related Risks
• Multics
• A General-Purpose File System For Secondary Storage – Peter’s 1965 paper on Multics
• Multics History Project
• The Brooklyn Boogaloo Blowout

The post Computer Security since the 1960’s with Peter Neumann appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 13th episode of The Silver Bullet Security Podcast, Gary chats with Ross Anderson, Professor of Security Engineering at the Computer Laboratory at Cambridge University and author of the book Security Engineering. Gary and Ross discuss the effect of posting his excellent book on the net for free, the simple reasons why most systems fail, the economic imbalance between engineers/developers and a system’s users (with respect to who should address security), and why publicly describing attacks is essential to security engineering. They close out by examining the security implications of wearing a kilt.

• Ross Anderson
• Light Blue Touchpaper – A security blog by Cambridge computer scientists.
• Security Engineering – Ross’ groundbreaking book in print and online
• WEIS 2007 – Sixth Workshop on the Economics of Information Security
• RFID and the Middleman [PDF]
• Ross playing the bagpipes

The post Security Engineering Described with Ross Anderson appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 12th episode of The Silver Bullet Security Podcast, Gary talks with Becky Bace, Advisor to Venture Capital firm Trident Capital. Becky spent twelve years at the NSA working on intrusion detection and cryptography from 1984 until 1996, followed by a stint at Los Alamos National Laboratory. Gary and Becky discuss growing up in rural America, explosives, and Becky’s Jimmy Hoffa sponsored college funding situation. They also talk about the evolution of security curricula in academia, rampant commercialization of computer security, Becky’s involvement in tracking down the notorious Kevin Mitnick, vicodin-induced creativity, and eclectic music.

• Transcript of this episode [PDF]
• Who’s Who in Infosec: Rebecca Bace
• Trident Capital – The VC firm where Becky is an advisor
• Los Alamos National Labs
• Intrusion Detection
• A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness – Co-authored with Fred Smith
• Frank Sinatra
• The Kinsey Sicks

The post From Ruralism to Computer Security with Becky Bace appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 11th episode of The Silver Bullet Security Podcast, Gary talks with Dorothy Denning, a professor in the Department of Defense Analysis at the Naval Postgraduate School. Previously, Dorothy was a distinguished professor at Georgetown University and a professor at Purdue University. Gary and Dorothy discuss Dorothy’s involvement in the Clipper Chip controversy (which earned Dorothy the moniker “clipper chick”), the concept of geo-encryption, and a famous 1990 paper she wrote describing a series of interviews with malicious hackers.

• Wikipedia: Dorothy Denning
• Clipper Chip (More)
• Clipper Chick – a 1996 Wired article about the Clipper Chip controversy.
• Big Sur Power Walk

The post Teaching Computer Security with Dorothy Denning appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

The tenth episode of The Silver Bullet Security Podcast features a panel discussion with the Fortify Software Technical Advisory Board, several of whom have been featured on previous episodes. The group discusses what commercial software tools can learn from academic research, the state of software security in China, real world lessons learned while using static analysis tools, and software security pedagogy.

Participating members of the Technical Advisory Board include:

• Bill Pugh, Professor at University of Maryland, static analysis for finding bugs
• Li Gong, GM at Microsoft, MSN in China
• Marcus Ranum, CSO of Tenable Network Security, security products trainer
• Avi Rubin, Professor at Johns Hopkins, electronic voting security
• Fred Schneider, Professor at Cornell, trustworthy computing
• Greg Morrisett, Professor at Harvard, dependant type theory
• Matt Bishop, Professor at UC Davis, computer security
• Dave Wagner, Professor at Berkeley, software security and electronic voting

A complete transcript of this podcast will be available soon from Fortify at http://www.fortify.com/silverbullet.

The post A Discussion on Software Security & Static Analysis Tools appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

In the ninth episode of The Silver Bullet Podcast, Gary interviews Bruce Schneier. Bruce is the founder and CTO of Counterpane and is regarded as the “uber-guru” of computer security. He has written eight bestselling books, most recently Beyond Fear: Thinking Sensibly About Security in an Uncertain World and is the editor of the massively popular Cryptogram mailing list. In this episode, Gary and Bruce discuss the connection between physical security its technological component, the idea of risk management, the intersection of economics and security, and the ideas of “wholesale surveillance” and “security theater.” They also discuss patch Tuesday, hack Wednesday, and Microsoft’s approach to software security.

• Bruce’s Wikipedia entry
• Bruce’s books
• Crypto-Gram security podcast
• Property Rights Management – Ed Felten’s discussion of PRM, mentioned on the show
• Copyright Mythbusters: Believe It or Not, Fair Use Exists – a look at the “fair use doesn’t exist” argument
• BBC plans attacked for ‘TV tax’ (March 14, 2006)

The post Phyisical And Computer Security Compared with Bruce Schneier appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

In the eighth episode of The Silver Bullet Podcast, Gary talks with Brian Chess, co-founder and chief scientist of Fortify Software. Brian completed his computer science Ph.D. at UC Santa Cruz after several years in the commercial sector. Gary and Brian discuss what commercial developers and academics have to learn from each other, what it’s like to work for a Kleiner-Perkins startup (KP is the VC firm behind familiar names like Google, Amazon, and Sun), and how mystifying it is that some developers are OK with XSS vulnerabilities in their web applications.

• Matt Bishop’s Computer Security: Art and Science (mentioned again!)
• Kleiner Perkins Caufield & Byers
• Brian as a wee lad

The post Show 008 – An Interview with Brian Chess appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

In the seventh episode of The Silver Bullet Podcast, Gary interviews Cisco Chief Security Officer John Stewart. Gary and John discuss what CSOs do all day, how John got started in computer security, and the infamous Morris Worm from 1988 (which John was deeply involved in while a student at Syracuse). John and Gary also revisit Cisco-gate, talk about how John’s identity was stolen, and determine why John’s kids don’t have e-mail addresses.

• Wikipedia: CSO
• Digital Island
• The What, Why, and How of the 1988 Internet Worm – a look at the history of the Morris Worm

The post Day in The Life of a CSO with John Stewart appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

The sixth episode of the show features an interview with Michael Howard, the Senior Security Program Manager of Microsoft’s Security Technology Unit. Michael has been at Microsoft since 1992 and discusses what it has been like watching the company come to grips with software security. Michael continues to play a key roll in implementing the Trustworthy Computing Initiative at Microsoft. Gary and Michael also discuss the security features of Windows Vista and Michael’s recommendations for the two most important best practices when developing secure software. Listen for a startling revelation about Michael’s choice of a “desert island book.”

• Michael Howard’s blog
• Writing Secure Code by Michael Howard
• Wikipedia: Defense in Depth
• Microsoft’s Trustworthy Computing Security Development Lifecycle
• Matt Bishop’s computer security books – These would go with Michael to a desert island.
• Michael Howard – but not the one Gary interviewed.

The post Security’s impact on Microsoft with Michael Howard appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

The fifth edition of the Silver Bullet Security Podcast features Ed Felten, Professor of Computer Science and Public Affairs at Princeton University and the Director of the Center for Information Technology Policy. Gary and Ed take a look at Ed’s predictions for 2006 and how he’s faring so far and then discuss Ed’s relationship with his former adversaries. They also talk about how to discuss difficult technology issues with lawmakers and the importance of public policy and the law to computer scientists. Ed also outlines the challenges of raising a bright 11-year-old.

• Freedom to Tinker – Ed Felten’s blog
• Ed’s Predictions for 2006
• Wikipedia: Series of Tubes

The post 2006 Technology Predications with Ed Felton appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

In the fourth episode of the Silver Bullet Security Podcast, Gary’s guest is Dana Epp, CEO and founder of Scorpion Software. Dana also runs a popular software security blog and is a jazz trumpeter. On this show, Dana and Gary talk about past programming disasters (“code lives forever”), the security implications of systems with ever-increasing complexity, suggestions for new developers interested in learning about software security, regulation’s role in information security, and Miles Davis.

• SilverStr’s blog – Dana’s blog
• It’s Pat!
• RemoteAccess BBS
• The 5 Rules of the Regulatory Process
• SC-L List
• Bitches Brew

The post A Software Security Industry 360 with Dana Epp appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

In the third episode of the Silver Bullet Security Podcast, Gary talks with Marcus Ranum, who is an acclaimed security guru widely credited with inventing the proxy firewall. Marcus and Gary discuss why Marcus thinks we’re not making progress in the computer security field, how common sense would help computer security, Richard Feynman, and power tools for home repair and improvement.

• Ranum.com
• The Six Dumbest Ideas in Computer Security
• Old West Snake Oil
• Patch Tuesday
• Richard Feynman

The post The Computer Security Plateau with Marcus Ranum appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

In this episode of the Silver Bullet Security Podcast, Gary chats with Dan Geer, Chief Scientist at Verdasys. Dan has a Ph.D. in biostatistics from Harvard. He and Gary discuss the need to understand both technology and business in order to be a good security practitioner, Dan’s paper Cyber Insecurity, his work on Project Athena, and livestock.

• Dan Geer on Wikipedia
• Project Athena on Wikipedia
• How Much Information 2003

The post The Necessities of a Security Practitioner with Dan Geer appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

In the debut episode of the Silver Bullet Security Podcast, Gary talks with Avi Rubin, professor of computer science and technical director of the information security institute at Johns Hopkins University. Avi made headlines in 2003 when he revealed glitches in Diebold electronic voting machines.

Links:

• A partial transcript of the interview in IEEE Security & Privacy
• Avi’s site
• Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting, Avi’s forthcoming book
• ACCURATE – A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections
• Froot Loops and Corn Flakes

The post Show 001 – An Interview with Avi Rubin appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.