BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
SearchSecurity.com is pleased to partner with Gary McGraw to feature his monthly Silver Bullet software security podcasts, which discusses best practices in software security.
McGraw hosts this monthly podcast, interviewing various information security practitioners, experts
Bookmark this page and be sure to check back monthly for new episodes!
Silver Bullet podcast: Gary McGraw discusses the evolution of software security, the BSIMM, the CISO report, and the future of IoT
Dr. Gary McGraw is a globally recognized authority on software security and the author of eight best-selling books on the topic. His titles include "Software Security," "Exploiting Software," "Building Secure Software," "Java Security," "Exploiting Online Games," and six other books, and he is the editor of the Addison-Wesley Software Security Series. Dr. McGraw has also written more than 100 peer-reviewed scientific publications. Besides serving as a strategic counselor for top businesses and IT executives, Gary is on the Advisory Boards of MaxMyInterest, Ntrepid, and RavenWhite. He has also served as a Board member of Cigital and Codiscope (acquired by Synopsys) and as Advisor to Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). His dual Ph.D. in cognitive science and computer science is from Indiana University, where he serves on the Dean's Advisory Council for the School of Informatics. He launched and has produced the monthly Silver Bullet Security Podcast since April 2006.
Listen as Taylor Armerding and Gary discuss how Gary came to Cigital and how the company's mission and Gary's role evolved over the years. They talk about software security during the "Java Security" era and whether things have gotten better or worse since the launch of the software security industry. Gary explains some of the touch points he introduced in "Software Security" and how they apply to all software development methodologies, and they explore the origins of the BSIMM, the CISO report, and the Silver Bullet Security Podcast. Finally, Taylor asks Gary about what the future holds for software security, especially across the ever-expanding Internet of Things, and for Gary after he departs from Synopsys.
Silver Bullet podcast: Elias Levy discusses hacking, programming languages, full disclosure, inventory control, and software security
Elias Levy, a.k.a. Aleph
Listen as Gary and Elias discuss how Elias got started in software security 25 years ago and wrote "Smashing the Stack" about stack buffer overflows. They talk about whether we've made enough progress in security since then, and Elias shares his optimistic views on security in areas such as architecture, languages, and platforms. Gary asks Elias what he thinks about fixing problems in broken programming languages versus fixing the languages themselves, and about his current views on the "full disclosure" debate that surrounded Bugtraq. Elias explains his "trajectory" patent as it relates to computer security and technology inventory and how it helps to be imaginative in the field. Finally, Gary and Elias discuss what computer security will look like in 25 years.
Silver Bullet podcast: Meera Rao discusses software design analysis, CI/CD, DevOps, and the importance of mentorship
Meera Rao is a senior principal consultant and the director of the secure development practice at Synopsys Software Integrity Group. She has over 20 years of experience in software development in a variety of roles, including lead developer, architect, project manager, and security architect. Before joining Synopsys through acquisition two years ago, Meera worked as a consultant at Cigital for over 10 years. Meera knows software security intimately and specializes in many touchpoints, including code review, static analysis implementation, architectural risk analysis, secure design, and threat modeling. Lately, she's turned her attention to DevOps and is leading efforts to tame that technology at Synopsys. Meera lives in Burtonsville, Maryland, with her husband and daughter, an aspiring orthopedic surgeon in her fourth year of medical school at Duke.
Listen as Gary and Meera discuss the advantages of coming to software security with a development background and the difficulties of dealing with security-related design flaws (as opposed to bugs). They talk about how to scale experience- and expertise-driven skills such as architecture risk analysis and why automation, for all its benefits, can fall flat. Gary asks Meera about the biggest danger of DevOps. They also discuss BSIMM9 and how software security has been and will be impacted by orchestration technology. Finally, Meera shares her professional mentoring experiences and some of the challenges still faced by women in tech.
Silver Bullet podcast: Filippo Valsorda discusses programming languages and the dynamic world of cryptography
Filippo Valsorda is a cryptographic engineer building and breaking systems in Go. He works at Google on the Go Open Source project, where he owns the Go cryptography standard libraries. Previously, at Cloudflare, he worked on TLS 1.3 and DNSSEC. He's best known for his 2014 Heartbleed vulnerability test. Filippo grew up in Milan, where he earned a scientific high school degree in 2013. In 2009 he participated in the World Math Games Championship as part of the Italian team, and in 2013 he won a bronze medal in the Italian Mathematical Olympiad. Filippo currently lives in New York City.
Listen as Gary and Filippo discuss the contrastive roles that static and dynamic languages play in software security. They talk about whether cryptographic implementations are getting better or worse and how cryptography has changed in the last decade. Filippo explains the biggest challenge of creating a cryptography library and his approach to breaking/attacking cryptography. Gary asks Filippo about how much people should worry about open source security, the unsettling world of blockchain and cryptocurrency, and finally, how Filippo accomplished the speed and scale of his Heartbleed test.
Silver Bullet podcast: Brittany Postnikoff discusses the maker culture and the problems with robots
Brittany Postnikoff is a graduate student in the Cryptography, Security, and Privacy Lab at the University of Waterloo. She researches the interplay between robots and social engineering to predict and mitigate the negative impact of social robots on security and privacy. As an undergrad at the University of Manitoba, she focused on human-robot interaction. Her work on robot skiing won first prize at the Humanoid Applications Challenge of the International Conference on Robotics and Automation in 2015. Brittany has given talks at ShmooCon, Troopers, Black Hat, and DEF CON. She holds diplomas in business administration and business IT from Red River College and is working on a master's degree at Waterloo, in Canada.
Listen as Gary and Brittany discuss robotics, maker culture, and the hands-on nature of learning. They closely examine the security and privacy problems that robots introduce -- including the ethical implications and built-in biases of human-robot interactions. Don't miss their discussion of robot vulnerability today and find out how vulnerable off-the-shelf robots really are.
Silver Bullet podcast: Interview with Gøran Breivik
Gøran Breivik is the CSO and chief privacy officer of the municipality of Bergen, Norway, the second-largest city in Norway, with a population approaching 300,000. After a brief stint in the army, Gøran was a consultant and programmer for a number of organizations. He's an early adopter and active participant in software security in the Nordics. He organized the ROOTS Conference for a decade, started and ran the Bergen Job and User Group for four years, and served on the board of the regional Norwegian Computer Society for two. More recently, Gøran has focused on building security in at the workplace, while his purview has expanded into privacy as GDPR sweeps the world. Gøran has a degree in information science from the University of Bergen and holds a CISSP. He lives in Bergen with his wife, Anne, and two teenage boys.
Listen as Gary and Gøran discuss what it's like to work for a city government and how to align the city's goals with software security. They also examine how to get the city to pay attention to security along with all other focus areas, including GDPR, the challenges of digitalization, and how to work with the city to set a budget as you address security and privacy goals and concerns.
Silver Bullet podcast: Interview with Kathleen Fisher
Kathleen Fisher is a professor and Chair of the Tufts Department of Computer Science. Previously, Dr. Fisher was a Program Manager at DARPA, where she started and managed HACMS and PPAML. She also has been a Faculty Member at Stanford, and a Principal Member of the Technical Staff at AT&T Labs Research. Kathleen's research focuses on advancing the theory and practice of programming languages. Recently she's been exploring synergies between machine learning and programming languages with an emphasis on building more secure systems. Dr. Fisher is an ACM Fellow. She's a recipient of the SIGPLAN Distinguished Service Award, vice-chair of DARPA's ISET Study Group and a Trustee at Harvey Mudd College. Kathleen holds a B.Sc. in math and computer science, and a Ph.D. in computer science from Stanford. She lives with her husband in Cambridge, Massachusetts. Her daughter Elaine is in grad school.
Listen as Gary and Kathleen discuss scientific research versus hacking "research," programming languages and software security, hacking (or not hacking) autonomous helicopters at DARPA, why machine learning looks pretty similar to how it looked 25 years ago, and more.
Silver Bullet podcast: Nicholas Weaver discusses network security, botnets, and cryptocurrency
Nicholas Weaver joined ICSI as a postdoctoral fellow in 2003. The following year he was hired as a senior staff researcher where he continues to conduct research on network security and measurement, worms, botnets, and other internet-scale attacks. He received his bachelor's degree in astrophysics and computer science in 1995 from UC Berkeley. He also earned his Ph.D. in computer science from Berkeley in 2003 where he continues to teach courses. Although his dissertation work involved FPGA architectures, he has been focused on computer security since 2001. Dr. Weaver lives in Berkeley.
Listen as Gary and Nicholas discuss the Spectre vulnerability, botnet attacks, research tech transfer, cryptocurrencies
technology, and more.
Silver Bullet podcast: Tanya Janca discusses transitioning from developer to software security guru
Tanya Janca is a senior cloud advocate at Microsoft, where she specializes in software security. Her job involves evangelizing software security and advocating for developers through public speaking. She is also a leader in the OWASP
Listen as Gary and Tanya discuss the transition from development to security, election security, DevOps, and more.
Silver Bullet podcast: Ron Gula discusses government versus commercial security solutions
Ron Gula is a co-founder, with his wife Cyndi, of Gula Tech Adventures, a cybersecurity investment fund. He started his security career as a network penetration tester for the NSA. At BBN, he ran US Internetworking's team of penetration testers and incident responders. As the CTO of Network Security Wizards, Ron focused on security monitoring and produced the Dragon Intrusion Detection System. As CEO and co-founder of Tenable Network Security, Ron led the company from 2002 through 2016, scaling to more than 20,000 customers worldwide. He holds a BS in electrical engineering from Clarkson University and an MS in electrical and computer engineering from Southern Illinois University
Listen as Gary and Ron discuss government and commercial security solutions, the NIST framework, tech transfer, technical advisory boards, and more.
Silver Bullet podcast: Elena Kvochko discusses security policy and security technology
Elena Kvochko is the CIO for the Group Security Function within a leading financial services organization. Previously she was an information technology manager at World Economic Forum, where she led global partnership programs on cyber resilience and the Internet of Things. She was also responsible for building relationships with information technology industry partners. Elena is the author of numerous articles and has contributed to Forbes, the New York Times, Harvard Business Review, and other media outlets. She is also a member of the Wall Street Journal CIO Network. She holds full CISSP and CEH certifications and has a master’s degree in technology policy from the University of Massachusetts, as well as executive certificates from MIT and Yale. She lives in New York City.
Listen as Gary and Elena discuss security policy, security technology, the role of a CIO, holistic security tactics, the economics of a security breach, and more.
Silver Bullet podcast: Craig Froelich discusses the 2018 CISO Report
Craig Froelich is the chief information security officer (CISO) for Bank of America. He leads the Global Information Security team responsible for security strategy, policy, and programs. Before moving to Bank of America through acquisition, he was responsible for Countrywide's
Listen as Gary and Craig discuss the role of the CISO in the financial services ecosystem and the newly released 2018 CISO Report.
Silver Bullet podcast: Bruce Potter discusses ShmooCon, DevOps, and the CISO role
Bruce Potter is CISO at Expel, where he is responsible for cyber risk and ensuring the secure operation of Expel's services. Previously, Bruce co-founded Ponte Technologies (sold to KeyW Corporation). He then served as CTO at KeyW for 2 years. Before that, Bruce was a security consultant at Cigital. In a seemingly previous life, Bruce founded the Shmoo Group. To this day, he helps run the annual hacker conference ShmooCon. He has co-authored several books, including "802.11 Security," "Aggressive Network Self-Defense," and "Host Integrity Monitoring." Bruce regularly speaks at DEF CON, Black Hat, and O'Reilly Security conferences. He lives in Maryland with his family.
Listen as Gary and Bruce discuss ShmooCon, the state of software security books, network security trends, hacking back, the relationship between preventative security engineering and operational security, DevOps, the CISO role, and more.
Silver Bullet podcast: Adrienne Porter Felt discusses usable security at Google and web versus mobile permission models
Adrienne Porter Felt is a senior staff software engineer within the Chrome Security team where she leads Google's usable security efforts. Dr. Felt focuses on front-end work, building security user interfaces, experimental design, large-scale data analysis, and management. Previously, she was a research scientist on Google's Security Research team. She has also worked as a security consultant at HP Enterprise Security. Dr. Felt earned a Ph.D. in Computer Science from UC Berkley. She also holds a BS in Computer Science from the University of Virginia. She lives in California with her husband, Mark, and young son, Emerson.
Listen as Gary and Adrienne discuss usable security, web and mobile security indicators, browser warnings, permission models, and more.
Silver Bullet podcast: Matias Madou discusses secure development training and software security testing research
Matias Madou is a co-founder and the CTO of Secure Code Warrior, where he provides the company's technology vision and oversees the engineering team. He has over 15 years of hands-on software security experience. Matias was a researcher at HP Fortify and a founder of Sensei Security. He also holds 10 patents and has been very active in technology transfer from the lab to commercial products. He's a sought-after speaker as well, and we're proud of his presence at the 2017 BSIMM Community Conference. Matias holds a Ph.D. in computer engineering from Ghent University and currently lives in Belgium with his family.
Listen as Gary and Matias talk about effective software security testing methods, security research, secure development training, and more.
Silver Bullet podcast: Nicole Perlroth discusses life as a cybersecurity journalist
Nicole Perlroth covers cybersecurity for the New York Times. Before joining the San Francisco bureau in 2011, she was deputy editor at Forbes where she covered venture capital and web start-ups. Nicole is the recipient of several journalism awards for her reporting on efforts by the Chinese government to steal military and industrial trade secrets. She is currently working on a cybersecurity book, This Is How They Tell Me the World Ends for Penguin/Portfolio (2017). She holds a B.A. in Politics and Near Eastern Studies from Princeton and an M.A. in Journalism from Stanford. She's a native of the Bay Area where she still lives.
Listen as Gary and Nicole talk about life as a cybersecurity journalist, being a woman in the security industry, and playing up the sex appeal of cybersecurity.
Silver Bullet podcast: Wafaa
Born and raised in Morocco, Wafaa also lived in the UK, France, and the Middle East before relocating to Indianapolis, Indiana in 2008. She holds a Master's in Computer Science from INSEA in Rabat, Morocco. She holds another Master's in Business Applications of Information and Technology from Université Rennes 2 in Rennes, France. Additionally, Wafaa holds a General Management Certificate from the London Business School. Most recently, in 2015, she graduated from the Harvard Business School Advanced Management program.
Listen as Gary and Wafaa cover cultural differences in technology management, CISO education, organizational hierarchy, and more.
Silver Bullet podcast: Pavi Ramamurthy discusses the relationship between development and software security
Pavi Ramamurthy manages the security ecosystem at LinkedIn as a Senior Information Security Manager. The Security Ecosystem team holds much of the responsibility for software security at the firm, including software security training, awareness, bug herding, application vulnerability response, program management, and
Listen as Pavi and Gary discuss whether a background in development makes you a better software security resource, CI/CD, security testing, the role that office hours play in software security awareness, and more.
Silver Bullet podcast: Ksenia Dmitrieva-Peguero discusses software security and AngularJS
Ksenia Dmitrieva-Peguero is a Principal Consultant within Synopsys' Software Integrity Group. She is a subject matter expert in a variety of software security practices including static analysis tool design and execution, customization, and deployment. She is also an expert in the areas of penetration testing and threat modeling. Throughout her career as a consultant, Ksenia has established and evolved secure coding
Listen as Gary and Ksenia discuss software security awareness, AngularJS, security conferences, and more.
Silver Bullet podcast: Kelly Jackson Higgins Discusses Cyber Security Journalism
Kelly Jackson Higgins is the Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with over 20 years of experience as a reporter and editor. Publications that Kelly has been associated with include Network Computing, Secure Enterprise Magazine, Communications Week, and more. Kelly's coverage of computer (i.e., cyber) security has led her to be selected as one of the top 10 cybersecurity journalists in the U.S. She holds a BA from the College of William and Mary where she also played on the women's soccer team. She currently lives near Charlottesville, VA.
Listen as Gary and Kelly discuss how to separate fact from fiction when it comes to news in security, changes in security-focused journalism in recent years, social media, security politics, and more.
Silver Bullet podcast: Cheryl Biswas Discusses the Politicization of Cyber Security
Cheryl Biswas is a Cyber Security Consultant focusing on threat intelligence at KPMG Canada. Her IT career began over 20 years ago at CP Rail's helpdesk, with further roles in vendor management and change management. She went on to work as an InfoSec researcher at JIG Technologies where she advised her team and clients on security matters and weekly threat intel updates. Cheryl strives to connect people within information security, with a focus on end users. She shares a passion for learning and security by blogging, speaking at conferences, and through her social media presence. Cheryl holds a B.A. in Political Science from York University. She lives in Toronto, Canada with her three kids.
Listen as Gary and Cheryl discuss aligning security to work as a service for the business rather than an imposition for employees, trending
Silver Bullet podcast: Kate Pearce Discusses the Relationship Between Biology and Security
Kate Pearce is a Senior Security Consultant at Cisco within the Customer Solutions division. In her career, Kate approaches security from diverse perspectives encompassing defenders, builders, assessors, and attackers. Her approach blends business, academic, and assessment contexts with a clear focus on evidence-driven security approaches. Kate holds an MSc and a BSc in Computer Science from the University of Canterbury. A repatriated Kiwi, she currently lives in Wellington, New Zealand with her wife and cat.
Listen as Gary and Kate discuss the state of the software security industry, gender perspectives in the security space, the relationship between biology and security, and more.
Silver Bullet podcast: Jessy Irwin Discusses How to Make Security and Privacy Accessible
Jessy Irwin is Vice President of Security and Privacy at Mercury Public Affairs. Her work focuses on human-centric technology and security. Jessy works tirelessly to make security and privacy accessible to the average person through education and awareness. As an outspoken advocate, she writes and speaks publicly about security research, strong crypto, and security education. She studied Art History and French at Virginia Tech and is now based in San Francisco.
Listen as Gary and Jessy discuss social engineering, security research, and security education and accessibility.
Silver Bullet podcast: Kelly Lum Discusses Bug Hunting and a Unique Analytical Outlook on Security
Kelly Lum, a.k.a.
Listen as Gary and Kelly discuss the differences between application security and software security, finding bugs versus fixing bugs, improving code review tools, and how mental illness affects her analytical security outlook.
Silver Bullet podcast: Lesley Carhart Discusses Incident Response and Digital Forensics
Lesley Carhart is the Security Incident Response Lead at a large corporation in the Chicagoland area where she and her team work with digital theft, misconfiguration, and hacking issues. She has 17 years of experience in the IT industry, eight of which focus on incident response and digital forensics. Lesley holds a BS in Network Technologies from DePaul University. She is an active writer, speaker, and works as a member of CircleCityCon staff.
Listen as Gary and Lesley discuss the evolution of computer security, incident response, digital forensics, security engineering, security certifications, and more.
Silver Bullet podcast: Marie Moe Discusses Medical Device Security
Dr. Marie Moe is a Security Researcher at SINTEF and an Associate Professor at the Norwegian University of Science and Technology. She was previously a Team Leader at NorCERT, the Norwegian national CERT, where she managed
Listen as Gary and Marie discuss her research and the future of medical device security.
Silver Bullet podcast: Mike Pittenger Discusses Open Source Software Security
Mike Pittenger is the VP of Security Strategy at Black Duck Software where he is responsible for strategic leadership of security solutions, including product direction and strategic alliances. He has 30 years of experience in technology and business, more than 25 years of management experience, and has spent the past 15 years focusing on security. Mike previously served as VP and General Manager of the product division of @stake. After @stake’s acquisition, he led the spin-out of his team to form Veracode. He later served as VP of the product and training division of Cigital. Mike also works as an independent consultant helping security companies identify, define, and prioritize their security product approaches.
Listen as Gary and Mike discuss open source security including OpenSSL, containerization, and progress being made in the industry.
Silver Bullet podcast: Jim Manico Discusses Static Analysis, Open Source, and Developer Training
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and secure engineering. He is also the founder of Brakeman Security which produces a Ruby on Rails security scanner. He is a volunteer and Former Global Board Member of the Open Web Application Security Project (OWASP) and the author of Iron-Clad Java: Building Secure Web Applications. With nearly 20 years of software development
Listen as Gary and Jim discuss recent developments with static analysis, the relationship between open source and security, programming languages frameworks and how they impact tools, developer training, enterprises moving to the cloud, and island life.
Silver Bullet podcast: Lance Cottrell Discusses Anonymity and Privacy
Lance Cottrell is the Chief Scientist at Ntrepid where he works on the Passages product. He founded Anonymizer, Inc. in 1995, which was later acquired in 2008. Lance has been at the cutting edge of Internet privacy, anonymity, and security for over 20 years. He is on the board of the North Bay Angels and is a mentor for SoCo Nexus Sprout. He lives in Sonoma County, California where he also dabbles in winemaking. Listen as Gary and Lance discuss privacy, anonymity, Tor, attribution issues, browser security, geolocation, anonymity tools, and more.
Silver Bullet podcast: David Nathans Discusses Security Operations Centers and Medical Device Security
David Nathans is a security professional with Siemens Healthcare where he specializes in medical device security. He has extensive experience in building security operations centers (SOCs) and
Silver Bullet podcast: Marty Hellman Discusses Cryptography and Nuclear Non-Proliferation
Martin E. Hellman is Professor Emeritus of Electrical Engineering at Stanford University. A graduate of New York University, Martin went on to earn both a Master's degree and Ph.D. in Electrical Engineering from Stanford. He is the author of over 70 technical papers, holder of 12 U.S. patents, co-inventor of public key cryptography, and the 2015 Turing Award recipient. Listen as Gary interviews Martin about his cutting-edge career, involvement in the crypto wars, and his work with nuclear non-proliferation and risk management.
Silver Bullet podcast: Jacob West Discusses the IEEE CSD, Bugs, Flaws
As the Chief Architect for Security Products at NetSuite, Jacob West leads research and development for technology to identify and mitigate security threats. West has over a decade of experience developing, delivering and monetizing innovative security solutions. Prior to his role at NetSuite, he served as the CTO for Enterprise Security Products (ESP) at HP where he founded and led HP Security Research. West is the co-author of Secure Programming with Static
Silver Bullet podcast:
Jack Daniel Discusses Security BSides, Communities and the Big Picture of Security
Gary talks to Jack Daniel, a leading technology community activist, about the evolution of the community-driven BSides Con, changes in the security field over the last decade, and his thoughts on where good security people come from. Jack is currently a Strategist for Tenable Network
Silver Bullet podcast: Jamie Butler Discusses Security Research, Thinking Like a Hacker and Rootkit Development
Gary talks to Jamie Butler, a self-proclaimed "coder at heart," about the importance of an offensive security approach, attack patterns and his specialization in rootkit development. Jamie is currently the CTO and Chief Scientist at Endgame where he leads research on advanced threats, vulnerabilities and attack patterns. He has directed vulnerability research teams at a number of prominent companies. Jamie holds
Silver Bullet podcast: Doug Maughan Discusses the Current State Of Cyber Security In the U.S. Department Of Homeland Security
Gary talks to Dr. Doug Maughan about scientific research in computer security and its relationship to wider government efforts in security. Maughan is currently the Cyber Security Division (CSD) Director for the Homeland Security Advanced Research Projects Agency. With a Ph.D. in Computer Science and over 10 years of experience working with the Department of Homeland Security (DHS), Maughan focuses his expertise on advancing the state of security technology through the research “valley of death.” Listen as Gary and Doug discuss tech transfer, the relationship between scientific research and government funding, and the widening gap between scientific computer security results and the insufficient computer security measures attempted by the government today.
Silver Bullet podcast:
Gary talks to
Silver Bullet podcast: Peter Clay Discusses the Evolution of the CISO Role
Gary talks to the Chief Information Security Officer of Qlik, Peter “Pete” Clay, who holds 20+ years of experience in technology growth and its relationship to security from a risk management perspective. Pete brings federal, public, private and start-up insight into the global security space. He shares personal lessons he has learned as a consultant and CISO, and gaps he has identified within the ever-changing security industry. Listen as Gary and Pete discuss the evolution of the CISO role, reactive approaches to security and the potential for cyber warfare.
Silver Bullet podcast: Chandu Ketkar Discusses Software Security Best Practices
Gary talks to Cigital's Chandu Ketkar. With 20+ years of experience as a developer prior to getting into security, Chandu brings a unique and enlightened view to software security. Chandu shares his insight into why developers and security experts struggle to get
Silver Bullet podcast: Steve Bellovin and Matt Green discuss "Crypto Wars II"
We thought the "crypto wars" were resolved in the late 1990s. But the introduction of encrypted devices -- specifically the release of iOS 8 and the growing number of available encrypted communication channels through public services such as Facebook and Snapchat -- has resurfaced the debate. FBI Director Comey and other law enforcement groups are concerned about what they call "going dark" and are stressing the need for back door access (called extraordinary access). But is this really a good idea? Didn't we already fight this battle during the first crypto wars? Matthew Green and Steve Bellovin, two authors of the recently released Keys Under Doormats paper, discuss the dangerous ramifications of this request.
Silver Bullet podcast: An Interview with Marcus Ranum
Has software security actually gotten worse? On the 111th episode of The Silver Bullet Security Podcast, Gary talks with Marcus Ranum, Chief Security Officer of Tenable Network Security. He is the inventor of both the proxy firewall and early-advanced intrusion systems. Gary and Marcus discuss the current state of software security, firewalls, de-
Silver Bullet podcast: An Interview with Paul Dorey
On the 110th episode of The Silver Bullet Security Podcast, Gary talks with Paul Dorey, founder of CSO Confidential and Visiting Professor at the University of London. Gary and Paul discuss the modern role of the CSO and the ideal background for a CSO, Paul's biggest win and biggest mistake as a CSO, and the role of building security in as part of a CSO's strategy. They close out the episode with
Silver Bullet podcast: An Interview with Bart Preneel
On the 109th episode of The Silver Bullet Security Podcast, Gary is joined by Bart Preneel. Bart is a full professor at the KU Leuven, one of the oldest universities in the world. Gary and Bart discuss the differences in approaches to security between the EU and the US, what the picture of building security
Silver Bullet podcast: An Interview with Katie Moussouris
In the 108th episode of the Silver Bullet Security
Silver Bullet podcast: An Interview with Jean Camp
L. Jean Camp is a Professor at the Indiana University School of Informatics and Computing. Gary and Jean discuss usability and security, whether users' implicit expectations of security and privacy are enough to move the mobile market, and "old people" and security. They close out their discussion with the most surprising hangover cure and Jean's favorite album of 2014.
Silver Bullet podcast: An Interview with Steve Katz
Steve Katz is owner and founder of Security Risk Solutions and the "world's first CISO." Gary and Steve discuss the history and evolution of the CISO position, the difficulty of measuring risk in a realistic fashion, how to allocate resources between proactive security engineering and standard network security, triage, and incident response, what it means to be an executive, and the FS-ISAC.
Silver Bullet podcast: An Interview with Whitfield Diffie
On the 105th episode of the Silver Bullet Security Podcast, Gary talks with the legendary Whitfield Diffie, a pioneer of public-key cryptography. Gary and Whitfield discuss the history of public key cryptography, Diffie's work on the "proof of correctness of programs," and if backdoors into
Silver Bullet podcast: An Interview with Rick Gordon
On the 104th episode of the Silver Bullet Security Podcast, Gary chats with Rick Gordon,
Silver Bullet podcast: An Interview with Brian Krebs
On the 103rd episode of the Silver Bullet Security Podcast, Gary talks with Brian Krebs, reporter
Silver Bullet podcast: An Interview with Richard Danzig
On the 102nd episode of the Silver Bullet Security Podcast, Gary chats with Richard Danzig, one time Secretary of the Navy and Board member of the Center for New American Security (among several other things). Gary and Richard discuss Richard's time at the Department of Defense, what he learned when running the US Navy that can be applied to computer security, Richard's recommendations from his important new CNAS report, and how the report is designed to have an impact on policy. They close out their chat with a high-brow art discussion.
Silver Bullet podcast: A roundtable with founding members of the Center for Secure Design
In the 101st episode of the Silver Bullet Security Podcast, Gary talks with Jim Del Grosso (Cigital), Yoshi Kohno (University of Washington), and Christoph Kern (Google) in a roundtable devoted to the new IEEE Center for Secure Design. The participants discuss the origin of the Center, why design flaws are more difficult to fix than implementation bugs, design flaws in automobile design and how the top 10 most common flaws recently published by the Center for Secure Design were compiled.
Silver Bullet podcast: A roundtable with Cigital's principals
After 100 months in a row (over 8 years), the Silver Bullet Security Podcast with Gary McGraw hits its landmark 100th episode. In this
Or view the video here.
Silver Bullet podcast: An interview with Michael Hicks
Silver Bullet podcast: An interview with Bart Miller
In this episode, Gary chats with Bart Miller, Professor of Computer Science at the University of Wisconsin-Madison and Chief Scientist of the DHS Software Assurance Marketplace Research Facility. Gary and Bart discuss Heartbleed, fuzz testing, his work with Jeff Hollingsworth on dynamic instrumentation of binaries, and the SWAMP project.
Silver Bullet podcast: An interview with Aaron Bedra
In this episode, Gary chats with Aaron Bedra, Senior Manager of Application Security at Groupon. Gary and Aaron discuss how security is viewed by development teams that Aaron has worked with, how a security person could transition into software security, the importance of developing a security culture, and type safety and closure in programming.
Silver Bullet podcast episode: An interview with Nate Fick
In this episode, Gary talks with Nate Fick, CEO of Endgame. Gary and Nate discuss the use of the term "
Silver Bullet podcast episode: An interview with Charlie Miller
In this episode, Gary talks with Charlie Miller, a computer security researcher with Twitter. They discuss Charlie’s history in finding security flaws in Apple products, hacking cars, and whether we’re past the bug whack-a-mole days.
Silver Bullet podcast episode: An interview with Ming Chow
In this episode, Gary chats with Ming Chow,
Silver Bullet podcast episode: An interview with Yoshi Kohno
In this episode, Gary chats with Yoshi Kohno, Associate Professor of Computer Science and Engineering at the University of Washington, about how much academic security impacts commercial security, car hacking, whether it’s possible to get the media to cover good software security, and helping consumers understand
Silver Bullet podcast episode: An interview with Jon Callas
In this episode, Gary chats with Jon Callas, Chief Technology Officer at Silent Circle and all around crypto freedom fighter. Gary and Jon talk about the early days of computing, insanely early computer security, nascent crypto, PGP, Lavabit, Snowden, and what Silent Circle is doing to make secure comms actually work. They also chat briefly about software security and reality.
Silver Bullet podcast episode: An interview with Caroline Wong
In this episode, Gary talks with Caroline Wong, Cigital’s Director of Security Initiatives. Gary and Caroline discuss the newly-released BSIMM-V, the concept of “SSI (Software Security Initiative) in a box,” the most successful metrics that Caroline has used throughout her career at eBay and other high-profile firms, and how to increase the number of women in computer science.
Silver Bullet podcast episode: An interview with Matthew Green
In this episode, Gary talks with Matthew Green, Assistant Research Professor at the Johns Hopkins Information Security Institute. Gary and Matt discuss the difference between theoretical cryptography and applied cryptography, the “On the NSA” blog post takedown scare, and the allegedly ‘backdoored’ Dual_EC_DRBG RSA/EMC random number generator.
Silver Bullet podcast episode: An interview with Michael Reiter
In this episode, Gary chats with Mike Reiter, Lawrence M. Slifkin Distinguished Professor in the Department of Computer Science at the University of North Carolina at Chapel Hill. Gary and Mike discuss the differences and similarities between academic research and corporate research, the challenges of teaching computer security, and how to attract more women to the field of software security. They close out their discussion with some talk about mixed martial arts.
Silver Bullet podcast episode: An interview with Christian Collberg
In this episode, Gary talks with Christian Collberg, Ph.D., Associate Professor of Computer Science at the University of Arizona. Gary and Christian discuss what drew Christian to teaching Computer Security in the United States after living in several other countries, Christian’s book Surreptitious Software, Christian’s opinions on products that purport to offer software protection on mobile devices, and whether software security students should be taught to think like an attacker. They close out their talk with
Silver Bullet podcast episode: An interview with James Walden
In this episode, Gary chats with James Walden, Ph.D., Associate Professor of Computer Science at Northern Kentucky University. Gary and James discuss the progress being made in the field of software security, why there are plenty of top N lists for bugs but none for flaws, the difficulties of teaching how to fix code, the current generation’s outlook on privacy, and security metrics and measurement.
Silver Bullet podcast episode: An interview with Wenyuan Xu
In this episode, Gary chats with Wenyuan Xu, Associate Professor in the Department of Computer Science and Engineering at the University of South Carolina. Gary and Wenyuan discuss the differences between American and Chinese technical culture, Wenyuan’s work on automatic meter reading systems, whether electrical engineering is more advanced in terms of design than computer science, and why there are so few women in engineering and computer science. They close out the episode with a discussion of tailgating.
Silver Bullet podcast episode: A discussion with Jim Routh and Scott Matsumoto
In this episode, Gary talks mobile security with two guests—Jim Routh, former global head of application security at JP Morgan Chase (and newly-appointed CSO), and Scott
Silver Bullet podcast episode: An interview with Hord Tipton
In this podcast, Gary chats with W. Hord Tipton, Executive Director of (ISC)2. Gary and Hord discuss how to get into science and engineering when growing up in rural Tennessee, what insight being a nuclear and chemical engineer gives Hord about modern control systems, whether or not certification helps to advance software security, and the benefits of teaching software security to kids.
Silver Bullet podcast episode: An interview with Mark Graff
In this podcast, Gary talks with Mark Graff, CISO at NASDAQ OMX. Gary and Mark discuss what a CISO actually does all day, how corporate security posture at NASDAQ compares to the security posture at Lawrence Livermore National Laboratory, Enrico Fermi and the piano tuners (the “Fermi problem”) and how it relates to estimation, and the most surprising cultural difference between the left and right coasts. They close out their conversation with talk about Mark’s favorite poem from the mid-19th century (and it still has a software security connection!).
Silver Bullet podcast episode: An interview with Kevin Fu
In this podcast, Gary talks with Kevin Fu, Associate Professor in the EECS Department at the University of Michigan. Gary and Kevin talk about finding advisors and picking a grad school, the security implications of embedded medical devices, the presence of malware in hospital systems, the consumer trend toward analyzing health data, and the issues associated with teaching design analysis to other humans.
Jack Daniel Discusses Security BSides, Communities and the Big Picture of Security