Essential Guide

Get started Bring yourself up to speed with our introductory content.

How to develop software the secure, Gary McGraw way

This compilation of content featuring software security expert Gary McGraw covers every aspect of secure software development, from training to coding to post-launch analysis.


Ensuring security in software, Gary McGraw has long argued, means starting at the code level: That is, build security in from the start. McGraw, chief technology officer at Cigital Inc. and recognized as the industry's foremost software security expert, has said that enterprises too often focus on repairing damage post-breach and fixing bugs after launch. Instead, he argues, greater attention to security in the earliest stages of software development would greatly reduce the percentage of successful attacks, and minimize damage when malicious hackers do succeed.

For many organizations, this is a paradigm shift. Why is it worthwhile? Solving security vulnerabilities in production applications is expensive and difficult. That factor of difficulty is multiplied considerably by the fact that now there is software in everything (and the fact that those things are increasingly interconnected). That complexity might tempt you to assume the fight against malware attacks is hopeless. Not so, says McGraw; enterprises exacerbate the problem by considering security too late (i.e., at the testing stage, or post-launch). The key is to make security front and center when a new software development project is still a twinkle in a developer's eye.

This guide gathers McGraw's insights on how to develop software more securely and which tools and procedures you can use to eliminate vulnerabilities in your next development project. In the tips, interviews, podcasts and videos that follow, you'll get in-depth information on mobile software security, architecture risk analysis, the value of the Building Security in Maturity Model (BSIMM) and more.

1Better coding-

A strong case for better coding

To ensure software security, we need to build secure software, and build it from the code on up: That's the message Gary McGraw consistently delivers in his writing on software development. Sounds logical, so why doesn't it happen? Why is it, as our expert asks, that so much energy goes into fixing damage and not enough into preventing it in the first place? Firewalls are all well and good -- and getting better all the time -- but maybe the focus should be on, as McGraw puts it, building "stuff that does not suck."

Or to put it a more delicately: Maybe it's time to remember that better security starts in the software, and the software starts in the coding.

Read on for the basics on the McGraw approach to secure software development.


Software security assurance? Build it right by building it in

How to assure computer security? Build it right in. Continue Reading


Ranum and McGraw one-on-one: Two experts on key software security issues

Marcus Ranum and McGraw cover software security issues in this one-on-one feature. Continue Reading


How to scale automated code review

McGraw and fellow expert Jim DelGrosso propose an easier, more scalable software architecture risk analysis process. Continue Reading


Implementing secure coding fundamentals

Bad software is as much a threat to security as actual malware. Learn why in this module, as we delve into the fundamentals of software security. You'll learn, for instance, the best practices of highly successful software security development and why a code review isn't enough to spot and prevent a software vulnerability.

This part of our guide includes key information on the BSIMM, a tool McGraw and others first developed in the 1990s that is now in its fifth iteration. The model, says McGraw, is an important guide to planning and carrying out any secure software development initiative.


Badware, malware are separate, but connected, issues

Getting rid of bad software can also help eliminate malware, McGraw argues. Continue Reading


Don't hack back: Fix vulnerabilities to win the cyberwar

Hacking back isn't how you win the cyberwar. Instead, McGraw says, build software and systems with fewer vulnerabilities. Continue Reading


The 12 processes of highly successful software security programs

Which processes are commonly found in highly successful software security programs? McGraw explains what they are. Continue Reading


To find software flaws, architectural risk analysis a must

Software defects often aren't found through code review; here's why architectural risk analysis is a must. Continue Reading


Want to do a number on software insecurity? Try BSIMM-V

The BSIMM tool, in its fifth version, acts as a measuring stick for software security initiatives. Continue Reading


Seven software security myths

Don't believe everything you hear about secure software development. Continue Reading

3Best practices-

Refining and improving best practices

This segment of the guide elaborates on the topic of best practices by turning attention to the human element of software security. Despite popular wisdom, McGraw insists that the facts show not only that humans can be trained, but also that security awareness training is a vital part of keeping software secure.

In this bring-your-own era, mobile security is another essential element to consider when you develop software, and McGraw covers the topic in depth here in a pair of articles. We close with a set of actionable guidelines on everything from software security groups to fixing bugs and flaws. No gospel would be complete without a set of commandments, and McGraw's got his ten. Avoid violating these and you can avoid the hell of a software security breach.


Data don't lie: Awareness training does heighten security

McGraw says it's time to focus on the facts, and they show that security awareness training is both needed and effective. Continue Reading


The easy way to scale software architecture risk analysis

Software architecture risk analysis doesn't have to be hard. McGraw and fellow expert Jim DelGrosso explain an easy way to scale this essential software security practice. Continue Reading


The key to security is in the mobile software

Mobile systems have many moving parts, but securing them can be simple, McGraw says. Continue Reading


The three legs of a mobile app security strategy

Are you still struggling to define your company mobile app security strategy? McGraw helps get infosec and app developers on the same page. Continue Reading


How to outrun the security risks that five tech trends harbor

There are five tech trends affecting software security, but there are also several BSIMM best practices to limit your risk. Continue Reading


Enhance your software security even when it comes from a third party

There's no definitive test to give third-party software a clean bill of health, but McGraw explains ways to assess it in order to have more control over vendors. Continue Reading


The 'Thou shalts': Ten commandments for software security

McGraw fills in what the BSIMM project lacks: actionable guidance for software security. Continue Reading


McGraw on Film

If a picture is worth a thousand words, a video must be worth a million. These videos featuring McGraw both round out and supplement the material explored in other parts of this guide, covering everything from the evolution of the BSIMM to coding securely to mobile app issues.


On the development of secure software through better coding

In this video, McGraw explains why coding more securely could turn back potential Web 2.0 attacks.


On the evolution of the BSIMM maturity framework for software security

The past and future of the BSIMM maturity framework for software security is McGraw's focus in this video. Watch and learn how vendors like Adobe and Microsoft measure up.


On how to get a handle on your software security process via BSIMM

A key BSIMM study identified several processes you can use to help secure your software development environment.


On why you should use the VBSIMM model when buying software

What's the VBSIMM software security model, and how do you apply it to software purchased from third-party vendors? This video explains it all.


On the top mobile app security issues

Learn about key mobile app security issues, and why McGraw thinks it's time to apply trustworthy computing concepts to mobile devices.


On how and why there's been improvement in the application development process

Increasingly organizations are employing those software development processes that improve code. Discover the tools and procedures McGraw says will help eliminate serious vulnerabilities.


How to develop software securely: A Gary McGraw podcast library

Talk about one-stop shopping! In a single link we provide an entire library of Gary McGraw's greatest Silver Bullet podcasts on how to develop software securely. In each, McGraw chats with a fellow security expert on a particular topic. Click below to hear the man whom many call the father of software security discuss Apple vulnerabilities, mobile security, how best to teach software development and more.


Gary McGraw's software security podcast greatest hits is pleased to partner with Gary McGraw to feature his monthly Silver Bullet software security podcasts, which discuss best practices in software security. Continue Reading

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.