How to develop software the secure, Gary McGraw way
A comprehensive collection of articles, videos and more, hand-picked by our editors
SearchSecurity.com is pleased to partner with Gary McGraw to feature his monthly Silver Bullet software security podcasts, which discusses best practices in software security.
McGraw hosts this monthly podcast, interviewing various information security practitioners, experts and commentators about software security and other top issues in the world of infosec.
Bookmark this page and be sure to check back monthly for new episodes!
Silver Bullet podcast: Kelly Lum Discusses Bug Hunting and a Unique Analytical Outlook on Security
Kelly Lum, a.k.a. Aloria, is a Security Engineer at Tumblr and an Adjunct Professor of Graduate Computer Networking and Application Security at NYU. She has 13 years of experience in computer security, having previously worked in both the government and financial services spaces. Kelly is also a frequent speaker on the Black Hat SummerCon Countermeasure circuit where she often focuses on data loss prevention (DLP) and bug hunting.
Listen as Gary and Kelly discuss the differences between application security and software security, finding bugs versus fixing bugs, improving code review tools, and how mental illness affects her analytical security outlook.
Silver Bullet podcast: Lesley Carhart Discusses Incident Response and Digital Forensics
Lesley Carhart is the Security Incident Response Lead at a large corporation in the Chicagoland area where she and her team work with digital theft, misconfiguration, and hacking issues. She has 17 years of experience in the IT industry, eight of which focus on incident response and digital forensics. Lesley holds a BS in Network Technologies from DePaul University. She is an active writer, speaker, and works as a member of CircleCityCon staff.
Listen as Gary and Lesley discuss the evolution of computer security, incident response, digital forensics, security engineering, security certifications, and more.
Silver Bullet podcast: Marie Moe Discusses Medical Device Security
Dr. Marie Moe is a Security Researcher at SINTEF and an Associate Professor at the Norwegian University of Science and Technology. She was previously a Team Leader at NorCERT, the Norwegian national CERT, where she managed incident response to cyberattacks against national critical infrastructure. Marie's recent work focuses on public safety and security systems that impact human life. She is renowned for her work in medical device security; in fact, her own life depends on a pacemaker. She holds a PhD in Information Security and an MSc in Industrial Mathematics from NTNU. She lives in Trondheim, Norway with her family.
Listen as Gary and Marie discuss her research and the future of medical device security.
Silver Bullet podcast: Mike Pittenger Discusses Open Source Software Security
Mike Pittenger is the VP of Security Strategy at Black Duck Software where he is responsible for strategic leadership of security solutions, including product direction and strategic alliances. He has 30 years of experience in technology and business, more than 25 years of management experience, and has spent the past 15 years focusing on security. Mike previously served as VP and General Manager of the product division of @stake. After @stake’s acquisition, he led the spin-out of his team to form Veracode. He later served as VP of the product and training division of Cigital. Mike also works as an independent consultant helping security companies identify, define, and prioritize their security product approaches.
Listen as Gary and Mike discuss open source security including OpenSSL, containerization, and progress being made in the industry.
Silver Bullet podcast: Jim Manico Discusses Static Analysis, Open Source, and Developer Training
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and secure engineering. He is also the founder of Brakeman Security which produces a Ruby on Rails security scanner. He is a volunteer and Former Global Board Member of the Open Web Application Security Project (OWASP) and the author of Iron-Clad Java: Building Secure Web Applications. With nearly 20 years of software development experience, and over 10 years of application security experience, Jim is a highly sought after speaker on security practices specializing in the notion of building as opposed to breaking.
Listen as Gary and Jim discuss recent developments with static analysis, the relationship between open source and security, programming languages frameworks and how they impact tools, developer training, enterprises moving to the cloud, and island life.
Silver Bullet podcast: Lance Cottrell Discusses Anonymity and Privacy
Lance Cottrell is the Chief Scientist at Ntrepid where he works on the Passages product. He founded Anonymizer, Inc. in 1995, which was later acquired in 2008. Lance has been at the cutting edge of Internet privacy, anonymity, and security for over 20 years. He is on the board of the North Bay Angels and is a mentor for SoCo Nexus Sprout. He lives in Sonoma County, California where he also dabbles in winemaking. Listen as Gary and Lance discuss privacy, anonymity, Tor, attribution issues, browser security, geolocation, anonymity tools, and more.
Silver Bullet podcast: David Nathans Discusses Security Operations Centers and Medical Device Security
David Nathans is a security professional with Siemens Healthcare where he specializes in medical device security. He has extensive experience in building security operations centers (SOCs) and cyber security programs. As the author of Designing and Building Security Operations Center and an original member of the first cyber squadron of the Air National Guard, he has established his place as a leader in the security field. Listen as Gary and David discuss security considerations when designing and building SOCs, the emergence of DevOps, and the progress that's been made between data and security in medical devices over the past decade.
Silver Bullet podcast: Marty Hellman Discusses Cryptography and Nuclear Non-Proliferation
Martin E. Hellman is Professor Emeritus of Electrical Engineering at Stanford University. A graduate of New York University, Martin went on to earn both a Master's degree and Ph.D. in Electrical Engineering from Stanford. He is the author of over 70 technical papers, holder of 12 U.S. patents, co-inventor of public key cryptography, and the 2015 Turing Award recipient. Listen as Gary interviews Martin about his cutting-edge career, involvement in the crypto wars, and his work with nuclear non-proliferation and risk management.
Silver Bullet podcast: Jacob West Discusses the IEEE CSD, Bugs, Flaws and Wearable Devices
As the Chief Architect for Security Products at NetSuite, Jacob West leads research and development for technology to identify and mitigate security threats. West has over a decade of experience developing, delivering and monetizing innovative security solutions. Prior to his role at NetSuite, he served as the CTO for Enterprise Security Products (ESP) at HP where he founded and led HP Security Research. West is the co-author of Secure Programming with Static Analysis, and is a founding member of the IEEE Center for Secure Design. Listen as Gary and Jacob discuss secure design, the critical difference between bugs and flaws and wearable device security.
Silver Bullet podcast:
Jack Daniel Discusses Security BSides, Communities and the Big Picture of Security
Gary talks to Jack Daniel, a leading technology community activist, about the evolution of the community-driven BSides Con, changes in the security field over the last decade, and his thoughts on where good security people come from. Jack is currently a Strategist for Tenable Network Security, and has over twenty years of experience in network and system administration and security. He also has twenty years of mechanical experience in the automotive domain. Jack co-hosts the Security Weekly podcast and produces the Uncommon Sense Security blog. Listen as Gary and Jack kick things off with the topic of the importance of diverse security communities.
Silver Bullet podcast: Jamie Butler Discusses Security Research, Thinking Like a Hacker and Rootkit Development
Gary talks to Jamie Butler, a self-proclaimed "coder at heart," about the importance of an offensive security approach, attack patterns and his specialization in rootkit development. Jamie is currently the CTO and Chief Scientist at Endgame where he leads research on advanced threats, vulnerabilities and attack patterns. He has directed vulnerability research teams at a number of prominent companies. Jamie holds a MS in Computer Science and has over 17 years of operating system security experience in the government and private sectors. Listen as Gary and Jamie discuss the attribution problem and his research focusing on how to think like a hacker in an effort to turn their work against them with an offensive security stance.
Silver Bullet podcast: Doug Maughan Discusses the Current State Of Cyber Security In the U.S. Department Of Homeland Security
Gary talks to Dr. Doug Maughan about scientific research in computer security and its relationship to wider government efforts in security. Maughan is currently the Cyber Security Division (CSD) Director for the Homeland Security Advanced Research Projects Agency. With a Ph.D. in Computer Science and over 10 years of experience working with the Department of Homeland Security (DHS), Maughan focuses his expertise on advancing the state of security technology through the research “valley of death.” Listen as Gary and Doug discuss tech transfer, the relationship between scientific research and government funding, and the widening gap between scientific computer security results and the insufficient computer security measures attempted by the government today.
Silver Bullet podcast: Peiter "mudge" Zatko Discusses the L0pht and Government Influence
Gary talks to Peiter Zatko, better known as "mudge" in hacker and security circles, about the evolution of the L0pht hacker collective and how his work in security influenced key agencies within the U.S. government to ramp up their cybersecurity efforts. During his time as a Program Manager with DARPA, mudge worked to fund much needed research for the speedy development of technology that would allow the government to protect against cyberattacks. From his experience with the L0pht and the Cult of the Dead Cow, to federal and commercial tech-industry giants including Google, mudge shares his experience and lessons learned along the way.
Silver Bullet podcast: Peter Clay Discusses the Evolution of the CISO Role
Gary talks to the Chief Information Security Officer of Qlik, Peter “Pete” Clay, who holds 20+ years of experience in technology growth and its relationship to security from a risk management perspective. Pete brings federal, public, private and start-up insight into the global security space. He shares personal lessons he has learned as a consultant and CISO, and gaps he has identified within the ever-changing security industry. Listen as Gary and Pete discuss the evolution of the CISO role, reactive approaches to security and the potential for cyber warfare.
Silver Bullet podcast: Chandu Ketkar Discusses Software Security Best Practices
Gary talks to Cigital's Chandu Ketkar. With 20+ years of experience as a developer prior to getting into security, Chandu brings a unique and enlightened view to software security. Chandu shares his insight into why developers and security experts struggle to get along, and offers a solution from the world of economics. He also provides lessons from the healthcare industry and aviation that he believes can improve security processes, particularly when it comes to threat modeling and architecture risk analysis. Listen in for Gary and Chandu's take on threat modeling, risk analysis, the principal-agent paradox, the checklist manifesto and more.
Silver Bullet podcast: Steve Bellovin and Matt Green discuss "Crypto Wars II"
We thought the "crypto wars" were resolved in the late 1990s. But the introduction of encrypted devices -- specifically the release of iOS 8 and the growing number of available encrypted communication channels through public services such as Facebook and Snapchat -- has resurfaced the debate. FBI Director Comey and other law enforcement groups are concerned about what they call "going dark" and are stressing the need for back door access (called extraordinary access). But is this really a good idea? Didn't we already fight this battle during the first crypto wars? Matthew Green and Steve Bellovin, two authors of the recently released Keys Under Doormats paper, discuss the dangerous ramifications of this request.
Silver Bullet podcast: An Interview with Marcus Ranum
Has software security actually gotten worse? On the 111th episode of The Silver Bullet Security Podcast, Gary talks with Marcus Ranum, Chief Security Officer of Tenable Network Security. He is the inventor of both the proxy firewall and early-advanced intrusion systems. Gary and Marcus discuss the current state of software security, firewalls, de-perimeterization, and hackers. Marcus also shares how he stays on the cutting edge of security and who his biggest influences are. Gary closes the show with an unexpected "dirty, brilliant trick."
Silver Bullet podcast: An Interview with Paul Dorey
On the 110th episode of The Silver Bullet Security Podcast, Gary talks with Paul Dorey, founder of CSO Confidential and Visiting Professor at the University of London. Gary and Paul discuss the modern role of the CSO and the ideal background for a CSO, Paul's biggest win and biggest mistake as a CSO, and the role of building security in as part of a CSO's strategy. They close out the episode with discussion of Paul's favorite piece of humorous fiction.
Silver Bullet podcast: An Interview with Bart Preneel
On the 109th episode of The Silver Bullet Security Podcast, Gary is joined by Bart Preneel. Bart is a full professor at the KU Leuven, one of the oldest universities in the world. Gary and Bart discuss the differences in approaches to security between the EU and the US, what the picture of building security in looks like around the world, quantum cryptography, and the implications of the Snowden revelations on cryptography. They close out their chat discussing Bart's Dixieland band.
Silver Bullet podcast: An Interview with Katie Moussouris
In the 108th episode of the Silver Bullet Security podcast, Gary talks with Katie Moussouris, Chief Policy Officer of HackerOne. Gary and Katie discuss her first program (a piece of interactive fiction in the Choose Your Own Adventure category written in Basic), bug bounty programs, how financial services and healthcare firms might approach vulnerability management, breaking versus building (and how to teach breakers to think more like builders), and the challenges of being a woman in security and why Katie dislikes being asked about it. They close out their discussion with some talk of various libations.
Silver Bullet podcast: An Interview with Jean Camp
L. Jean Camp is a Professor at the Indiana University School of Informatics and Computing. Gary and Jean discuss usability and security, whether users' implicit expectations of security and privacy are enough to move the mobile market, and "old people" and security. They close out their discussion with the most surprising hangover cure and Jean's favorite album of 2014.
Silver Bullet podcast: An Interview with Steve Katz
Steve Katz is owner and founder of Security Risk Solutions and the "world's first CISO." Gary and Steve discuss the history and evolution of the CISO position, the difficulty of measuring risk in a realistic fashion, how to allocate resources between proactive security engineering and standard network security, triage, and incident response, what it means to be an executive, and the FS-ISAC.
Silver Bullet podcast: An Interview with Whitfield Diffie
On the 105th episode of the Silver Bullet Security Podcast, Gary talks with the legendary Whitfield Diffie, a pioneer of public-key cryptography. Gary and Whitfield discuss the history of public key cryptography, Diffie's work on the "proof of correctness of programs," and if backdoors into crypto systems are a bad idea. They close out by discussing art.
Silver Bullet podcast: An Interview with Rick Gordon
On the 104th episode of the Silver Bullet Security Podcast, Gary chats with Rick Gordon, Managing Partner at MACH37. Gary and Rick discuss Rick’s time in the Navy and what it taught him about security, Rick’s lessons learned from his time as CEO of Tovaris, whether the government outside of DARPA understands security engineering, and the drive behind MACH37 the company… and the name. They close out by discussing if Rick is teaching his children to wrestle.
Silver Bullet podcast: An Interview with Brian Krebs
On the 103rd episode of the Silver Bullet Security Podcast, Gary talks with Brian Krebs, reporter and blogger at Krebs on Security. Gary and Brian discuss how growing up with a computer affected their future careers in security, MUD vs MAD, why "old media" can't support in-depth security reporting, and why the government continues to be five years behind the security curve. They close out talking about Brian's experience of writing Spam Nation.
Silver Bullet podcast: An Interview with Richard Danzig
On the 102nd episode of the Silver Bullet Security Podcast, Gary chats with Richard Danzig, one time Secretary of the Navy and Board member of the Center for New American Security (among several other things). Gary and Richard discuss Richard's time at the Department of Defense, what he learned when running the US Navy that can be applied to computer security, Richard's recommendations from his important new CNAS report, and how the report is designed to have an impact on policy. They close out their chat with a high-brow art discussion.
Silver Bullet podcast: A roundtable with founding members of the Center for Secure Design
In the 101st episode of the Silver Bullet Security Podcast, Gary talks with Jim Del Grosso (Cigital), Yoshi Kohno (University of Washington), and Christoph Kern (Google) in a roundtable devoted to the new IEEE Center for Secure Design. The participants discuss the origin of the Center, why design flaws are more difficult to fix than implementation bugs, design flaws in automobile design and how the top 10 most common flaws recently published by the Center for Secure Design were compiled.
Silver Bullet podcast: A roundtable with Cigital's principals
After 100 months in a row (over 8 years), the Silver Bullet Security Podcast with Gary McGraw hits its landmark 100th episode. In this episode Gary talks live on video with Cigital’s Principals: John Steven, Scott Matsumoto, Paco Hope, Jim DelGrosso and Sammy Migues. The group discusses the state of software security and how its evolved (or has it?) over the last decade. They talk Frameworks and code analysis, mobile security, software security in Europe, the forthcoming IEEE Center for Secure Design, and BSIMM. Finally we get to find out who thinks we’re making progress and who doesn’t.
Or view the video here.
Silver Bullet podcast: An interview with Michael Hicks
Silver Bullet podcast: An interview with Bart Miller
In this episode, Gary chats with Bart Miller, Professor of Computer Science at the University of Wisconsin-Madison and Chief Scientist of the DHS Software Assurance Marketplace Research Facility. Gary and Bart discuss Heartbleed, fuzz testing, his work with Jeff Hollingsworth on dynamic instrumentation of binaries, and the SWAMP project.
Silver Bullet podcast: An interview with Aaron Bedra
In this episode, Gary chats with Aaron Bedra, Senior Manager of Application Security at Groupon. Gary and Aaron discuss how security is viewed by development teams that Aaron has worked with, how a security person could transition into software security, the importance of developing a security culture, and type safety and closure in programming.
Silver Bullet podcast episode: An interview with Nate Fick
In this episode, Gary talks with Nate Fick, CEO of Endgame. Gary and Nate discuss the use of the term "cyber war" from the perspective of an ex-Marine, Nate’s time at the Center for a New American Security, the Estonia DDOS attack, and how Nate has turned around the perception of End Game.
Silver Bullet podcast episode: An interview with Charlie Miller
In this episode, Gary talks with Charlie Miller, a computer security researcher with Twitter. They discuss Charlie’s history in finding security flaws in Apple products, hacking cars, and whether we’re past the bug whack-a-mole days.
Silver Bullet podcast episode: An interview with Ming Chow
In this episode, Gary chats with Ming Chow, lecturer at Tufts University School of Engineering’s Department of Computer Science. Gary and Ming discuss whether it’s better to start with security people or people that know how to code already when building new software security professionals. They also talk about what developers currently think of software security, what would make developers more likely to take security seriously, and how Ming uses games to teach security to his students.
Silver Bullet podcast episode: An interview with Yoshi Kohno
In this episode, Gary chats with Yoshi Kohno, Associate Professor of Computer Science and Engineering at the University of Washington, about how much academic security impacts commercial security, car hacking, whether it’s possible to get the media to cover good software security, and helping consumers understand privacy implications of popular products’ security designs.
Silver Bullet podcast episode: An interview with Jon Callas
In this episode, Gary chats with Jon Callas, Chief Technology Officer at Silent Circle and all around crypto freedom fighter. Gary and Jon talk about the early days of computing, insanely early computer security, nascent crypto, PGP, Lavabit, Snowden, and what Silent Circle is doing to make secure comms actually work. They also chat briefly about software security and reality.
Silver Bullet podcast episode: An interview with Caroline Wong
In this episode, Gary talks with Caroline Wong, Cigital’s Director of Security Initiatives. Gary and Caroline discuss the newly-released BSIMM-V, the concept of “SSI (Software Security Initiative) in a box,” the most successful metrics that Caroline has used throughout her career at eBay and other high-profile firms, and how to increase the number of women in computer science.
Silver Bullet podcast episode: An interview with Matthew Green
In this episode, Gary talks with Matthew Green, Assistant Research Professor at the Johns Hopkins Information Security Institute. Gary and Matt discuss the difference between theoretical cryptography and applied cryptography, the “On the NSA” blog post takedown scare, and the allegedly ‘backdoored’ Dual_EC_DRBG RSA/EMC random number generator.
Silver Bullet podcast episode: An interview with Michael Reiter
In this episode, Gary chats with Mike Reiter, Lawrence M. Slifkin Distinguished Professor in the Department of Computer Science at the University of North Carolina at Chapel Hill. Gary and Mike discuss the differences and similarities between academic research and corporate research, the challenges of teaching computer security, and how to attract more women to the field of software security. They close out their discussion with some talk about mixed martial arts.
Silver Bullet podcast episode: An interview with Christian Collberg
In this episode, Gary talks with Christian Collberg, Ph.D., Associate Professor of Computer Science at the University of Arizona. Gary and Christian discuss what drew Christian to teaching Computer Security in the United States after living in several other countries, Christian’s book Surreptitious Software, Christian’s opinions on products that purport to offer software protection on mobile devices, and whether software security students should be taught to think like an attacker. They close out their talk with discussion of travel on planet Earth.
Silver Bullet podcast episode: An interview with James Walden
In this episode, Gary chats with James Walden, Ph.D., Associate Professor of Computer Science at Northern Kentucky University. Gary and James discuss the progress being made in the field of software security, why there are plenty of top N lists for bugs but none for flaws, the difficulties of teaching how to fix code, the current generation’s outlook on privacy, and security metrics and measurement.
Silver Bullet podcast episode: An interview with Wenyuan Xu
In this episode, Gary chats with Wenyuan Xu, Associate Professor in the Department of Computer Science and Engineering at the University of South Carolina. Gary and Wenyuan discuss the differences between American and Chinese technical culture, Wenyuan’s work on automatic meter reading systems, whether electrical engineering is more advanced in terms of design than computer science, and why there are so few women in engineering and computer science. They close out the episode with a discussion of tailgating.
Silver Bullet podcast episode: A discussion with Jim Routh and Scott Matsumoto
In this episode, Gary talks mobile security with two guests—Jim Routh, former global head of application security at JP Morgan Chase (and newly-appointed CSO), and Scott Matusmoto, Principal Consultant and head of the mobile security practice at Cigital. All three discuss challenges associated with mobile security and how these challenges are exactly the same as and different than software security concerns from past years. Also discussed is use of new technologies including accelerometers in enhancing security (or compromising privacy), and the effect that massive phone rooting has on security.
Silver Bullet podcast episode: An interview with Hord Tipton
In this podcast, Gary chats with W. Hord Tipton, Executive Director of (ISC)2. Gary and Hord discuss how to get into science and engineering when growing up in rural Tennessee, what insight being a nuclear and chemical engineer gives Hord about modern control systems, whether or not certification helps to advance software security, and the benefits of teaching software security to kids.
Silver Bullet podcast episode: An interview with Mark Graff
In this podcast, Gary talks with Mark Graff, CISO at NASDAQ OMX. Gary and Mark discuss what a CISO actually does all day, how corporate security posture at NASDAQ compares to the security posture at Lawrence Livermore National Laboratory, Enrico Fermi and the piano tuners (the “Fermi problem”) and how it relates to estimation, and the most surprising cultural difference between the left and right coasts. They close out their conversation with talk about Mark’s favorite poem from the mid-19th century (and it still has a software security connection!).
Silver Bullet podcast episode: An interview with Kevin Fu
In this podcast, Gary talks with Kevin Fu, Associate Professor in the EECS Department at the University of Michigan. Gary and Kevin talk about finding advisors and picking a grad school, the security implications of embedded medical devices, the presence of malware in hospital systems, the consumer trend toward analyzing health data, and the issues associated with teaching design analysis to other humans.
Jack Daniel Discusses Security BSides, Communities and the Big Picture of Security