Cigital » The Silver Bullet Security Podcast with Gary McGraw

Industry Leaders In Application Security & Research

Industry Leaders In Application Security & Research

On the 31st episode of The Silver Bullet Security Podcast, Gary talks with Matt Bishop, professor of Computer Science at UC Davis and author of the book Computer Security: Art and Science as well as many peer-reviewed papers. Gary and Matt discuss Matt’s plan to work security analysis and secure coding into a wider computer science cirriculum, Matt’s early work with Mike Dilger on TOCTOU, whether or not progress is being made in the field of software security, and the role of training in large-scale software security initiatives. Their chat closes with a mention of Matt’s home menagerie (which does not include any one-legged chickens at this time). Matt Bishop IEEE Security & Privacy Magazine Computer Security: Art and Science Silver Bullet Security Podcast interview with Dorothy Denning Secure Computer Systems: Mathematical Foundations – The Bell Lapadula model [PDF] Secure Computer System: Unified Exposition and Multics Interpretation [PDF] Testing C Programs for Buffer Overflow Vulnerabilities – Eric Haugh, Matt Bishop [PDF] TOCTOU Checking for Race Conditions in File Accesses by Matt Bishop and Michael Dilger “The Song of the One Legged Chicken” The post Show 031 – An Interview with Matt Bishop appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw. The post Show 031 – An Interview with Matt Bishop appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 30th episode of The Silver Bullet Security Podcast, Gary talks with Ken van Wyk, principal and founder of KRvW Associates. Ken was the first employee of CERT and has been an active member of FIRST. Ken and Gary discuss why the discipline of computer science doesn’t learn from failure like mechanical engineering does, how we’re making steps backwards in computer security, whether focusing on web applications is a good or bad thing for software security, and Ken’s recommendation for moderately-priced red wines. Ken’s personal page KRvW Associates CERT FIRST Secure Coding Incident Response SC-L mailing list From the foreword to Secure Programming with Static Analysis – blog entry with photo of Tacoma Narrows Bridge TJX’s stock increase since the January 2007 security breach The Addison-Wesley Software Security Series Barbera D’Asti wines

On the 30th episode of The Silver Bullet Security Podcast, Gary talks with Ken van Wyk, principal and founder of KRvW Associates. Ken was the first employee of CERT and has been an active member of FIRST. Ken and Gary discuss why the discipline of computer science doesn’t learn from failure like mechanical engineering does, how we’re making steps backwards in computer security, whether focusing on web applications is a good or bad thing for software security, and Ken’s recommendation for moderately-priced red wines. Ken’s personal page KRvW Associates CERT FIRST Secure Coding Incident Response SC-L mailing list TJX’s stock increase since the January 2007 security breach The Addison-Wesley Software Security Series Barbera D’Asti wines The post Show 030 – An Interview with Ken van Wyk appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw. The post Show 030 – An Interview with Ken van Wyk appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 29th episode of The Silver Bullet Security Podcast, Gary talks with Dennis Fisher, executive editor of The Security Media Group at TechTarget. Dennis helps run SearchSecurity.com and Information Security Magazine. Gary and Dennis discuss the current “BS factor” in security journalism, shopping at TJ Maxx right after the TJX privacy breach, the state of software security, and which is harder: being a fry cook at Hardees or working as a PR flack. Dennis’ blog TJX Software Security Grows Dennis’ un-named podcast Series of Tubes Hardees

On the 29th episode of The Silver Bullet Security Podcast, Gary talks with Dennis Fisher, executive editor of The Security Media Group at TechTarget. Dennis helps run SearchSecurity.com and Information Security Magazine. Gary and Dennis discuss the current “BS factor” in security journalism, shopping at TJ Maxx right after the TJX privacy breach, the state of software security, and which is harder: being a fry cook at Hardees or working as a PR flack. Dennis’ blog TJX Software Security Grows Dennis’ un-named podcast Series of Tubes Hardees The post Show 029 – An Interview with Dennis Fisher appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw. The post Show 029 – An Interview with Dennis Fisher appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 28th episode of The Silver Bullet Security Podcast, Gary interviews Bill Cheswick, a lead member of technical staff at AT&T Research and all around security guru. Bill has been working in computer security for over 35 years. He coined the term “proxy” in 1990 with reference to firewalls, and co-authored the book Firewalls and Internet Security which was used to train an entire generation of sys admins. Gary and Bill discuss whether we’re winning or losing the computer security war, how security threats have evolved from pimply-faced teenagers to organized crime, whether we should move security into “the cloud,” and whether re-naming “Christmas lights” to “solstice lights” would bypass NJ holiday decoration ordinances. Bill Cheswick AT&T Research Lumeta FWIS “The Design of a Secure Internet Gateway” (Usenix 1990, coining of “proxy”) The Apache web server Turtles all the Way Down Ed Amoroso’s Silver Bullet Podcast (use blink test to compare)

On the 28th episode of The Silver Bullet Security Podcast, Gary interviews Bill Cheswick, a lead member of technical staff at AT&T Research and all around security guru. Bill has been working in computer security for over 35 years. He coined the term “proxy” in 1990 with reference to firewalls, and co-authored the book Firewalls and Internet Security which was used to train an entire generation of sys admins. Gary and Bill discuss whether we’re winning or losing the computer security war, how security threats have evolved from pimply-faced teenagers to organized crime, whether we should move security into “the cloud,” and whether re-naming “Christmas lights” to “solstice lights” would bypass NJ holiday decoration ordinances. AT&T Research Lumeta FWIS “The Design of a Secure Internet Gateway” (Usenix 1990, coining of “proxy”) The Apache web server Turtles all the Way Down Ed Amoroso’s Silver Bullet Podcast (use blink test to compare) The post Show 028 – An Interview with Bill Cheswick appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw. The post Show 028 – An Interview with Bill Cheswick appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

On the 27th episode of The Silver Bullet Security Podcast, Gary interviews software security expert Gunnar Peterson, a Managing Principal at Arctec Group. Gary and Gunnar begin with the age-old question, “What is security?” They go on to discuss how Web 2.0 and SOA security is progressing, the big idea behind “federated identity,” whether all market verticals can follow the software security lead of the financial services industry, and the inherent badness of the color purple. Transcript of this episode [PDF] Gunnar’s Blog informIT (Securing Web 3.0) Metricon 3.0 Butler Lampson on Security Federated Identity Ping Identity Gerald Weinberg Verizon Business Security: Patching Conundrum

On the 27th episode of The Silver Bullet Security Podcast, Gary interviews software security expert Gunnar Peterson, a Managing Principal at Arctec Group. Gary and Gunnar begin with the age-old question, “What is security?” They go on to discuss how Web 2.0 and SOA security is progressing, the big idea behind “federated identity,” whether all market verticals can follow the software security lead of the financial services industry, and the inherent badness of the color purple. Transcript of this episode [PDF] Gunnar’s Blog informIT (Securing Web 3.0) Metricon 3.0 Butler Lampson on Security Federated Identity Ping Identity Gerald Weinberg Verizon Business Security: Patching Conundrum The post Show 027 – An Interview with Gunnar Peterson appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw. The post Show 027 – An Interview with Gunnar Peterson appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon. (Beginning with this episode, Silver Bullet will be available as a 192k MP3.) Transcript of this episode [PDF] Emergent Chaos blog The New School of Information Security Microsoft’s SDL Cigital’s Touchpoints IEEE Security & Privacy magazine Wassily Kandinsky The CardSystems breach (2005) Thomas Pynchon

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon. (Beginning with this episode, Silver Bullet will be available as a 192k MP3.) Emergent Chaos blog The New School of Information Security Microsoft’s SDL Wassily Kandinsky The CardSystems breach (2005) Thomas Pynchon The post Show 026 – An Interview with Adam Shostack appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw. The post Show 026 – An Interview with Adam Shostack appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.

Jon Swartz, USA Today‘s award-winning technology reporter and Pulitzer Prize nominee, is Gary’s guest on the 25th episode of The Silver Bullet Security Podcast. They discuss Jon’s new book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity and the research that went into writing it. Gary and Jon also cover how cybercrime is driven by capitalist principals, why the general public’s attitude is so lax about software security, and how, even though it’s hard to get an accurate count of identity theft instances, they tend to show a sharp upward trend. Jon ends the episode by disclosing his secret dream career. (Apologies for the below-average sound quality on this episode.) Transcript of this episode [PDF] Zero Day Threat Jon’s USA Today articles

Jon Swartz, USA Today‘s award-winning technology reporter and Pulitzer Prize nominee, is Gary’s guest on the 25th episode of The Silver Bullet Security Podcast. They discuss Jon’s new book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity and the research that went into writing it. Gary and Jon also cover how cybercrime is driven by capitalist principals, why the general public’s attitude is so lax about software security, and how, even though it’s hard to get an accurate count of identity theft instances, they tend to show a sharp upward trend. Jon ends the episode by disclosing his secret dream career. (Apologies for the below-average sound quality on this episode.) Transcript of this episode [PDF] Jon’s USA Today articles The post Show 025 – An Interview with Jon Swartz appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw. The post Show 025 – An Interview with Jon Swartz appeared first on Cigital » The Silver Bullet Security Podcast with Gary McGraw.