How to develop software the secure, Gary McGraw way

Last updated:March 2014

Editor's note

Ensuring security in software, Gary McGraw has long argued, means starting at the code level: That is, build security in from the start. McGraw, chief technology officer at Cigital Inc. and recognized as the industry's foremost software security expert, has said that enterprises too often focus on repairing damage post-breach and fixing bugs after launch. Instead, he argues, greater attention to security in the earliest stages of software development would greatly reduce the percentage of successful attacks, and minimize damage when malicious hackers do succeed.

For many organizations, this is a paradigm shift. Why is it worthwhile? Solving security vulnerabilities in production applications is expensive and difficult. That factor of difficulty is multiplied considerably by the fact that now there is software in everything (and the fact that those things are increasingly interconnected). That complexity might tempt you to assume the fight against malware attacks is hopeless. Not so, says McGraw; enterprises exacerbate the problem by considering security too late (i.e., at the testing stage, or post-launch). The key is to make security front and center when a new software development project is still a twinkle in a developer's eye.

This guide gathers McGraw's insights on how to develop software more securely and which tools and procedures you can use to eliminate vulnerabilities in your next development project. In the tips, interviews, podcasts and videos that follow, you'll get in-depth information on mobile software security, architecture risk analysis, the value of the Building Security in Maturity Model (BSIMM) and more.

1Implementing secure coding fundamentals

Bad software is as much a threat to security as actual malware. Learn why in this module, as we delve into the fundamentals of software security. You'll learn, for instance, the best practices of highly successful software security development and why a code review isn't enough to spot and prevent a software vulnerability.

This part of our guide includes key information on the BSIMM, a tool McGraw and others first developed in the 1990s that is now in its fifth iteration. The model, says McGraw, is an important guide to planning and carrying out any secure software development initiative.

2Refining and improving best practices

This segment of the guide elaborates on the topic of best practices by turning attention to the human element of software security. Despite popular wisdom, McGraw insists that the facts show not only that humans can be trained, but also that security awareness training is a vital part of keeping software secure.

In this bring-your-own era, mobile security is another essential element to consider when you develop software, and McGraw covers the topic in depth here in a pair of articles. We close with a set of actionable guidelines on everything from software security groups to fixing bugs and flaws. No gospel would be complete without a set of commandments, and McGraw's got his ten. Avoid violating these and you can avoid the hell of a software security breach.

3McGraw on Film

If a picture is worth a thousand words, a video must be worth a million. These videos featuring McGraw both round out and supplement the material explored in other parts of this guide, covering everything from the evolution of the BSIMM to coding securely to mobile app issues.

4How to develop software securely: A Gary McGraw podcast library

Talk about one-stop shopping! In a single link we provide an entire library of Gary McGraw's greatest Silver Bullet podcasts on how to develop software securely. In each, McGraw chats with a fellow security expert on a particular topic. Click below to hear the man whom many call the father of software security discuss Apple vulnerabilities, mobile security, how best to teach software development and more.