Podcasts about Cigital

Today on the Social-Engineer Podcast: The Security Awareness Series, Ryan and I are joined by Robert Wood. Mr. Wood is the Chief Information Security Officer (CISO) for the Centers for Medicare and Medicaid Services (CMS). He leads enterprise cyber security, compliance, privacy, and counter intelligence functions at CMS and ensures the Agency complies with secure IT requirements while encouraging innovation. Mr. Wood has over 10 years of experience in information technology, information security and management consulting. Prior to CMS, Mr. Wood has built and managed several security programs in the technology sector. He was also formerly a Principal Consultant for Cigital where he advised enterprises about their software security programs. He also founded and led the red team assessment practice with Cigital, focused on holistic adversarial analysis, helping organizations identify and manage risks from alternative perspectives. Mr. Wood has a B.S. in Information Management & Technology from Syracuse University. [Jan 15, 2024]   00:00 - Intro 00:18 - Ryan Intro 01:03 - Intro Links: -          Social-Engineer.com - http://www.social-engineer.com/ -          Managed Voice Phishing - https://www.social-engineer.com/services/vishing-service/ -          Managed Email Phishing - https://www.social-engineer.com/services/se-phishing-service/ -          Adversarial Simulations - https://www.social-engineer.com/services/social-engineering-penetration-test/ -          Social-Engineer channel on SLACK - https://social-engineering-hq.slack.com/ssb -          CLUTCH - http://www.pro-rock.com/ -          innocentlivesfoundation.org - http://www.innocentlivesfoundation.org/                                                04:28 - Robert Wood Intro 05:35 - A Small Career Jump 10:31 - The Constant Desire to Learn 12:58 - Unique Challenges 16:08 - Measure & Manage 20:01 - Making it Human 23:14 - Executive Power 26:35 - Pushing Up 29:18 - Part of a Team 32:45 - Mentors -          Jim Routh -          Jason Hills -          Amit Sethi 35:44 - Book Recommendations -          Think Again - Adam Grant -          Steal Like An Artist - Austin Kleon 38:29 - Find Robert Wood Online -          LinkedIn: linkedin.com/in/holycyberbatman -          Website: softsideofcyber.com 39:32 - Wrap Up & Outro -          www.social-engineer.com -          www.innocentlivesfoundation.org TAGS:  

Speaker Intro Anshuman is an Information Security Professional with more than a decade of experience in the security industry. He has worked with various organizations like Cigital, EMC, Intuit, Atlassian, Thirty Madison and currently at Lyft as Security Engineer. At the core, he loves building programs from the scratch, working on difficult and interesting security engineering problems, innovating by using the latest technologies, exploring greenfield areas, and constantly pushing himself to learn something new on a daily basis. He has given a workshop at Defcon'17 and spoken at conferences such as Black Hat Arsenal, Defcon Recon Village, Toorcon, Rootcon and AtlasCamp. You can reach out to him on Twitter & LinkedIn, Twitter - @anshuman_bh LinkedIn - https://www.linkedin.com/in/anshumanbhartiya/ Conference registration details, Bsides Singapore - 22nd Sept 2023 Tickets - https://bsidessg.org/booknow/ Schedule - https://bsidessg.org/schedule/ Bsides Ahmedabad - 6th Oct 2023 Tickets - https://bsidesahmedabad.in/registration Use the following discount codes: SOIJBSIDESAHM (10% off on conference Passes) SOIJTRAINBSIDESAHM (20% off on Training Passes) Follow "Stories of Infosec Journeys" podcast on LinkedIn - Stories of Infosec Journeys Twitter - @InfosecJourneys Instagram & Facebook - @storiesofinfosecjourneys Kindly rate the podcast on Spotify and leave a review on Apple podcast.

In Episode 24 of Tattoos, Code, and Data Flows, Matt Rose interviews Robert Wood, CISO of Centers for Medicare & Medicaid Services. Robert Wood leads enterprise cyber security, compliance, privacy, and counter intelligence functions at CMS and ensures the Agency complies with secure IT requirements while encouraging innovation. He has over 10 years of experience in information technology, information security and management consulting. Prior to CMS, Robert has built and managed several security programs in the technology sector. He was also formerly a Principal Consultant for Cigital where he advised enterprises about their software security programs. He also founded and led the red team assessment practice with Cigital, focused on holistic adversarial analysis, helping organizations identify and manage risks from alternative perspectives. Robert and Matt talk about: ↳ Transitioning from start-ups to working for a federal enterprise ↳ The problem with "zero trust" today ↳ Shifting everywhere in the CI/CD pipeline ↳ Robert's story to becoming a successful CISO And so much more. Be sure to listen to this episode, and so many of our other great episodes by hitting the follow button. Make sure to like and subscribe to the episode. We hope you enjoy it!

On today's show our guest is Brad Arkin, Cisco's Chief Security and Trust Officer. Before joining Cisco (the very same day Cisco issued a work-from-home mandate in March 2020!), Brad was Adobe's first Chief Security Officer. He grew the security function from just a few employees, to over 600 globally. Early in Brad's career, he co-founded the Software Security Group at Cigital and led the Application Security practice for AtStake. He was a pioneer in software security, helping code writers in commercial settings adopt a “built-in security” approach throughout the development process rather than treating security as an afterthought.Since joining Cisco, he has led the company's rapid global Zero Trust architecture deployment to over 100,000 users across 120,000 devices in just five months. He is focused on evolving the Cisco Secure Development Lifecycle and security governance models to help accelerate Cisco's transition to software and services.Also on today's show, we invite Mitch Neff from the Beers with Talos podcast to join us, to see if we can settle the score from our 'Would I lie to you?' episode which ended in a heart breaking tie. As Ben tells his security career story, can Mitch win the title for his team? Or will he lose it all? Will anyone's dignity remain intact? Plus, Ben has been visiting the database vaults and has some excellent research on the top threats encountered by Cisco Secure Firewall, and the Secure IPS component and Snort rules used to control and inspect the traffic on the network.To see Ben's research in full, visit https://blogs.cisco.com/security/threat-trends-firewall

Machine Learning appears to have made impressive progress on many tasks including image classification, machine translation, autonomous vehicle control, playing complex games including chess, Go, and Atari video games, and more. This has led to much breathless popular press coverage of Artificial Intelligence, and has elevated deep learning to an almost magical status in the eyes of the public. ML, especially of the deep learning sort, is not magic, however.  ML has become so popular that its application, though often poorly understood and partially motivated by hype, is exploding. In my view, this is not necessarily a good thing. I am concerned with the systematic risk invoked by adopting ML in a haphazard fashion. Our research at the Berryville Institute of Machine Learning (BIIML) is focused on understanding and categorizing security engineering risks introduced by ML at the design level.  Though the idea of addressing security risk in ML is not a new one, most previous work has focused on either particular attacks against running ML systems (a kind of dynamic analysis) or on operational security issues surrounding ML. This talk focuses on the results of an architectural risk analysis (sometimes called a threat model) of ML systems in general.  A list of the top five (of 78 known) ML security risks will be presented. About the speaker: Gary McGraw is co-founder of the Berryville Institute of Machine Learning. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series.  Dr. McGraw has also written over 100 peer-reviewed scientific publications. Gary serves on the Advisory Boards of Code DX, Maxmyinterest, Runsafe Security, and Secure Code Warrior.  He has also served as a Board member of Cigital and Codiscope (acquired by Synopsys) and as Advisor to Black Duck (acquired by Synopsys), Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). Gary produced the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine for thirteen years. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the Luddy School of Informatics, Computing, and Engineering.

Prologue I'm honored to have Gary McGraw on with James and myself on this episode. I hadn't realized, but Gary retired from (what was formerly) Cigital - and by retired I mean "started something new". Gary sucks at retirement, but he's brilliant and has a lot to say about machine learning and its applications, so you should really listen in. No, "AI" isn't going to take over security - but it's work exploring the enormous contributions machine learning make to our lives and how they can be abused.   Guest Gary McGraw Twitter: https://twitter.com/noplasticshower Home: https://www.garymcgraw.com/  Boards he's on: https://www.garymcgraw.com/technology/business/  Info on Berryville Institute: https://berryvilleiml.com/  ARA for ML: https://berryvilleiml.com/results/ara.pdf 

Join Caroline Wong, Cobalt.io's head of Security and People, for a unique perspective on the role of humans in cybersecurity. About the speaker: Caroline Wong is the Chief Strategy Officer at Cobalt.io. Wong's close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager and day-to-day leadership roles at eBay and Zynga. She teaches cybersecurity courses on LinkedIn Learning and is a member of the Forbes Technology Council. Wong was named 2019 Cyber Educator of the Year in the 6th Annual Cyberjutsu Awards. She authored the popular textbook Security Metrics: A Beginner's Guide, published by McGraw-Hill. Wong graduated from U.C. Berkeley with a BS in electrical engineering and computer sciences and holds a certificate in finance and accounting from Stanford University Graduate School of Business.

In this episode of AppSec Builders, Jb is joined by security expert, John Steven, to discuss his BSIMM study findings, the fundamental shifts in AppSec, software-defined security governance, and much more. About John: Linkedin: https://www.linkedin.com/in/m1splacedsoul/ (https://www.linkedin.com/in/m1splacedsoul/) Twitter: https://twitter.com/m1splacedsoul (https://twitter.com/m1splacedsoul) Through his firm Aedify, John advises innovative security product firms as well as maturing security initiatives. John leads one such firm, ZeroNorth, as CTO. For two decades, John led technical direction at Cigital, where he rose to the position of co-CTO. He founded spin-off Codiscope as CTO in 2015. When both Cigital and Codiscope were acquired by Synopsys in 2016, John transitioned to the role of Senior Director of Security Technology and Applied Research. His expertise runs the gamut of software security—from managing security initiatives, to cloud security, to threat modeling and security architecture, to static analysis, as well as risk-based security orchestration and testing. John is keenly interested in software-defined security governance at the cadence of modern development. As a trusted adviser to security executives, he uses his unparalleled experience to build, measure, and mature security programs. He co-authors the BSIMM study and serves as co-editor of the Building Security In department of IEEE Security & Privacy magazine. John is regularly invited to speak and keynote. Resources: https://www.bsimm.com/download.html?cmp=pr-sig&utm_medium=referral (Latest BSIMM) https://www.linkedin.com/company/aedifysecurity/ (Aedify Security) https://www.concourselabs.com/ (Concourse Labs) Transcript [00:00:02] Welcome to AppSec Builders, the podcast for practitioners building modern AppSec hosted by JB Aviat. Jb Aviat: [00:00:14] So welcome to this episode of AppSec Builders. Today I'm proud to interview John Stevens. So, John is the founding principle at Aedify where he advises product security firms. John, before that, you led ZeroNorth as a CTO and before that you were leading as co-CTO at the Cigital firm. Welcome, John. John Steven: [00:00:36] Hello, how are you? Thanks for having me. Jb Aviat: [00:00:38] I'm great, thanks for joining. So John, another thing that you've done is that you co-authored BSIMM, so could you let us know what it is and how it can be a useful tool to AppSec builders? John Steven: [00:00:50] Yeah, it's worth clarifying because it's frequently misunderstood. The BSIMM is the building security in maturity model observational study. We went out and over a period of 11 years we've studied about two hundred and over two hundred firms and asked the question, what do you actually do to build your security initiative and to secure your software? And it doesn't prescribe what to do, but you can use it to look at what firms that are within your vertical or that look similar to you in terms of maturity, are doing with their time and money, and decide whether or not you want to replicate those behaviours or cut your own. Jb Aviat: [00:01:29] So you are interviewing like CISO application security practitioners, developers like every actor of the security game. John Steven: [00:01:38] Yes. Historically, the list has looked like what you described. What was interesting to us about the last two years of this study is that when we began talking with the CISO, they'd say, oh, you need to talk to the VP of Cloud on this, or actually you need to talk to the SREs and to to delivery or to the VP of engineering. The people we had to talk to fundamentally changed over the last two years. And that was a key finding that we we wrote about this year, that the people doing the work of security were shifting from the security group to the engineering, digital transformation and cloud groups. John Steven: [00:02:20] And that's a big deal, right, because there's been these phrases...

Our very special guest today is Caroline Wong. She is the Chief Strategy Officer at Cobalt. As CSO, Caroline leads the Security, Community, and People teams at Cobalt. She brings a proven background in communications, cybersecurity, and experience delivering global programs to the role.Caroline’s close and practical information security knowledge stems from her broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. Caroline also hosts the Humans of InfoSec podcast, teaches cybersecurity courses on LinkedIn Learning and has authored the popular textbook Security Metrics, A Beginner's Guide.Caroline holds a bachelor’s degree in electrical engineering and computer sciences from UC Berkeley and a master’s in finance and accounting from Stanford University Graduate School of Business.Some useful links:https://twitter.com/carolinewmwonghttps://twitter.com/humansofinfosehttps://www.linkedin.com/in/carolinewmwong/https://soundcloud.com/humans-of-infosechttps://twitter.com/cobalt_iohttps://resource.cobalt.io/pentesting-in-devops-how-to-guidehttps://www.mheducation.com/highered/product/security-metrics-beginner-s-guide-wong/9780071744003.htmlCaroline Wong is interviewed by Kendra Ash and John L. Whiteman.Follow us:HomepageTwitterMeetupLinkedInYouTube- Become an OWASP member - Donate to our OWASP PDX chapterSupport the show (https://owasp.org/supporters/)

Caroline Wong is the Chief Strategy Officer at Cobalt.io. Wong's close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec Product Manager, and day-to-day leadership roles at eBay and Zynga. Caroline joins us to talk about penetration testing and reviews key findings from the Cobalt.io "State of Pentesting" report. [...] The post Caroline Wong — The state of Penetration Testing appeared first on Security Journey Podcasts.

Caroline Wong, the Chief Strategy Officer at Cobalt.io, is known for her practical information security knowledge that stems from her diverse experiences as a Cigital consultant, a semantic product manager, and day-to-day leadership roles at both eBay and Zynga. Caroline teaches cybersecurity courses on LinkedIn Learning, is a member of the Forbes Technology Council, and was named 2019’s Cyber Educator of the Year in the 6th annual Cyberjutsu Awards. She graduated from UC Berkeley with a BS in Electrical Engineering and Computer Science, holds a Certificate in Finance and Accounting from Stanford Graduate School of Business, and authored the well-known textbook, Security Metrics, A Beginner’s Guide. In today’s episode, we have a personal and candid conversation with Caroline about the influence of her father in her decision to study engineering and her approach as a woman in the tech sector. She not only shares key leadership insights but also talks about how she shifted from relying on unhealthy coping mechanisms to a philosophy focused on meeting uncertainties and challenges with the perspective that it can be figured out once you get there.

Today we'll be talking with Chad Holmes.Chad is a Product Marketing Manager for Security Innovation with a focus on educating customers on emerging Cyber Range technologies and how they can improve security education within organizations. Prior to joining Security Innovation, Chad was a Penetration Tester, Product Manager, Security Program Manager and Team Lead at Cigital, Veracode and Red Hat.We'll be talking about our next chapter meeting CMD+CTRL Web Application Cyber Range Tuesday, February 11 2020 @ 5:30 PM at Zapproved. Go to meetup.com to RSVP. https://www.meetup.com/OWASP-Portland-Chapter/events/267265705/ You won't want to miss this amazing event Chad is interviewed by John L. Whiteman Follow us, join us:https://twitter.com/portlandowasp?lang=enhttps://www.meetup.com/OWASP-Portland-Chapterhttps://www.linkedin.com/groups/4223013/Support the show (https://www.owasp.org/index.php/Membership#tab=Other_ways_to_Support_OWASP)

Humans Of InfoSec Episode 2, Robert Wood has a vast portfolio of work ranging from building Cigital's Red Team to running the trust and security team at Nuna Health. Robert is well known for his adversarial thinking and strategic planning approach to his work, and today one of the things he's focused on is helping security professionals to advance their careers. Dive into Robert's information security origin story in Episode 2 of Humans of InfoSec.

Caroline Wong, Paula Thrasher and I were having lunch at DevOps Enterprise Summit when the conversation took an interesting turn. Paula and Caroline had been on a panel the previous day and didn't get a chance to do a deep dive into any of the topics. As we were talking at lunch, I realized is was a good opportunity to give them a chance to talk with each other on government vs public software security, about how the OWASP Top 10 might best be used and to they have discovered as common security patterns in their large scale projects. About Caroline Wong I am a strategic leader with strong communications skills, cybersecurity knowledge, and experience delivering global programs. My close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. I have been featured as an Influencer in the Women in IT Security issue of SC Magazine, named as one of the Top 10 Women in Cloud by CloudNOW, and received a Women of Influence Award in the One to Watch category from the Executive Women's Forum. I authored the popular textbook Security Metrics: A Beginner's Guide. About Paula Thrasher Paula Thrasher has 20+ years experience in IT and has spent the last 15 years trying to implement Agile culture in the federal government. Paula’s first Agile project was in 2001, since then she has led over 15 programs and projects as an Agile developer, technical lead, Scrum master, or Agile coach. Her teams have helped two separate federal agencies migrate applications to Amazon AWS GovCloud, and done some other amazing DevOps ninja work along the way. Paula is a proud Carnegie Mellon University alumna with a B.S. in Statistics, is a Certified Scrum Master (CSM) and a Project Management Professional (PMP), but prefers learning new things through experience and working with smart people.

Our topic is incident response in the enterprise. We also discuss OneLogin acquiring Sphere Secure Workspace, Synopsys acquiring Cigital, Codiscope bolstering its security portfolio, Gartner's latest report on the CASB market, and much more here on Enterprise Security Weekly!

Our topic is incident response in the enterprise. We also discuss OneLogin acquiring Sphere Secure Workspace, Synopsys acquiring Cigital, Codiscope bolstering its security portfolio, Gartner's latest report on the CASB market, and much more here on Enterprise Security Weekly!

OneLogin acquires Sphere Secure Workspace, Synopsys Acquires Cigital, Codiscope to Bolster Security Portfolio, Gartners Latest Report on the CASB Market, and much more here on Enterprise Security Weekly! Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode22 Take the Security Weekly Survey: www.securityweekly.com/survey Visit http://securityweekly.com/esw for all the latest episodes!

OneLogin acquires Sphere Secure Workspace, Synopsys Acquires Cigital, Codiscope to Bolster Security Portfolio, Gartners Latest Report on the CASB Market, and much more here on Enterprise Security Weekly! Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode22 Take the Security Weekly Survey: www.securityweekly.com/survey Visit http://securityweekly.com/esw for all the latest episodes!

072216 Scambray

The Building Security In Maturity Model (BSIMM) is the result of a multi-year study of real-world software security initiatives. It is built directly from data observed in 78 software security initiatives from firms in nine market sectors. The best way to use the BSIMM is to compare and contrast your own initiative with the data about what other organizations are doing as described in the model. You can then identify goals and objectives and refer to the BSIMM to determine which additional activities make sense for you.The BSIMM data show that high maturity initiatives are well-rounded—carrying out numerous activities in all 12 of the practices described by the model. The model also describes how mature software security initiatives evolve, change, and improve over time.In this podcast, Gary McGraw, the Chief Technology Officer for Cigital, discusses the latest version of BSIMM and how to take advantage of observed practices from high-performing organizations. Listen on Apple Podcasts.

Gary McGraw (@cigitalgem), CTO of the security giant Cigital, chats with us about how web developers, and software engineers in general, can best secure applications we are building today. We dive into best practices, team collaboration techniques, where to go for further information, and what companies like Cigital are doing for the web security community. Resources Cigital- http://www.cigital.com/ The Silver Bullet Podcast - http://www.cigital.com/silver-bullet/ Web Application Security Consortium - http://www.webappsec.org/ Software Security - Building Security In - http://www.amazon.com/Software-Security-Building-In/dp/0321356705 NodeGoat - http://nodegoat.herokuapp.com/login RailsGoat - http://railsgoat.cktricky.com/ Gary's books - http://www.cigital.com/~gem/books/ Charlie Miller Interview - http://www.cigital.com/silver-bullet/show-095/ OWASP - https://www.owasp.org/ Panelists Adi Chikara - ATG Lead at3Pillar Global Christian Smith - Open Source developer & Startup Enthusiast Chetan Karande - Senior Software Engineer at Omgeo   Erik Isaksen - UX Engineer at3Pillar Global Rob Simpson - Senior Front End Developer atCapco Nick Niemeir - JavaScript Agent Engineer at New Relic

In this episode... John discusses some of the foundational principles of Threat Modeling We talk about why threat modeling is like your time in high school We discuss why threat modeling is such an incredibly important tool to the enterprise John gives us some nuggets of his experience with threat modeling enterprise applications Guest John Steven ( @m1splacedsoul ) - John Steven is the Internal CTO at Cigital with over a decade of hands-on experience in software security. John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted advisor to many multi-national corporations. John’s keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, speaks with regularity at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.John is known for his in-depth work in software security, his expertise in the field of threat modeling, and his snarkcasm. If you don't follow John on Twitter or haven't attended one of the talks he's been known to give occasionally - I recommend you do so. 

Synopsis This episode is special because it's been a long-time-in-the-making interview with Brad Arkin of Adobe. This is the organization that many of the hacker community like to hate, and pick on - without realizing the monumental task of securing the software that Brad's team is responsible for. Brad's official title at Adobe is Engineering Senior Director but in real life one of the responsibilities his team is tasked with is doing product security for products like Adobe Flash and Reader ... Brad's take on software security and how he got the bug problem under control at Adobe is worth a listen! Guest Brad Arkin - Engineering Senior Director at Adobe - Brad has a long history of being involved in the Information Security world, particularly software security and has held many interesting roles from Cigital, to a technical director at @Stake, to working his way through Adobe since 2008. Brad can be found on LinkedIn, here: http://www.linkedin.com/pub/brad-arkin/1/2a8/4.

Ill-informed lawmakers and policymakers, rather than true experts, are addressing issues of cybersecurity and are focused on the wrong issues. This was the message presented April 26, 2012 by Gary McGraw, Chief Technology Officer of Cigital, Inc. and a leading authority on software security. The talk was co-sponsored by ISTS and the War and Peace Studies Program of the Dickey Center for International Understanding.

As a discipline, software security has made great progress over the last decade. There are now at least 46 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework as our guide. Those companies among the nine who graciously agreed to be identified include: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model (BSIMM). This talk will describe the observation-based maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Since its March release, the BSIMM is being expanded to include BSIMM Europe, BSIMM II, and BSIMM Lite. Use the BSIMM as a yardstick to determine where you stand and what kind of software security plan will work best for you. About the speaker: company: http://www.cigital.compodcast: http://www.cigital.com/silverbulletpodcast: http://www.cigital.com/realitycheckblog: http://www.cigital.com/justiceleaguebook: http://www.swsec.compersonal: http://www.cigital.com/~gemGary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Java Security, Building Secure Software, Exploiting Software, Software Security, and Exploiting Online Games; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean¹s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors, produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT), and produces the Reality Check Security Podcast for CSO Online.

Guest: Gary McGraw Host: Michael Kircher Software security is an issue that everyone faces but that not everyone gets right. Sometimes, our languages programming claim to provide us a level of security that they cannot deliver. Fortunately, folks like Gary McGraw, the CTO of Cigital, have studied software, language technology, and security. McGraw defines software security as "how to approach computer security if you are a software developer or architect". In his experience, the best way to build secure software is to have the people who build our systems think carefully about security while they are building them. Security is part of both the system's architecture and its implementation. At ooPSLA, McGraw -- a globally-recognized authority on software security and the author of six best selling books on this topic -- is teaching a tutorial called Software Security: Building Security In that will present a detailed approach to getting past theory and putting software security into practice. The tutorial will give a lesson in applied risk management and then present a number of software security best practices. Listen to this podcast to hear Michael Kircher of SE Radio chat with Gary about software security, patterns of attack on software, and some of the most timely issues in security as applied to on-line games.

Guest: Gary McGraw Host: Michael Kircher Software security is an issue that everyone faces but that not everyone gets right. Sometimes, our languages programming claim to provide us a level of security that they cannot deliver. Fortunately, folks like Gary McGraw, the CTO of Cigital, have studied software, language technology, and security. McGraw defines software security as "how to approach computer security if you are a software developer or architect". In his experience, the best way to build secure software is to have the people who build our systems think carefully about security while they are building them. Security is part of both the system's architecture and its implementation. At ooPSLA, McGraw -- a globally-recognized authority on software security and the author of six best selling books on this topic -- is teaching a tutorial called Software Security: Building Security In that will present a detailed approach to getting past theory and putting software security into practice. The tutorial will give a lesson in applied risk management and then present a number of software security best practices. Listen to this podcast to hear Michael Kircher of SE Radio chat with Gary about software security, patterns of attack on software, and some of the most timely issues in security as applied to on-line games.

2007 held numerous watershed events for the security industry. Innovation is needed and the money is there. Come to this session and meet the VCs actively investing in security, web, and mobile applications. Learn how VCs see the future, what they are looking for, and how best to utilize them to further your innovations. This session will conclude with a announcement about the Black Hat/DEFCON Open, a business plan competition focused on innovations in security; winners will be announced at Black Hat 2008 and DEFCON 16. Brad Stone, New York Times technology correspondent Brad Stone joined the New York Times in December 2006. He covers Internet trends from the newspapers San Francisco bureau. In addition to writing for the paper, he contributes to the Times technology blog, Bits. >From 1998 to November 2006, Stone served as the Silicon Valley Correspondent for Newsweek magazine, writing for the technology and business sections of the magazine and authoring a regular column, Plain Text, on our evolving digital lifestyles. He joined the Newsweek writing staff in 1996 as a general assignment reporter and covered a wide range of subjects. He wrote about Mark McGwire's home run chase during the summer of 1998, the jury deliberations in the Timothy McVeigh trial, and profiled authors such as Kurt Vonnegut. He is also a frequent contributor to Wired magazine, and has written for publications such as More magazine and the Sunday Telegraph in London. Brad graduated from Columbia University in 1993 and is originally from Cleveland, Ohio. Patrick Chung, Partner, NEA Patrick joined NEA as an Associate in 2004 and became Partner in 2007. Patrick focuses on venture growth equity, consumer, Internet, and mobile investments. He is a director of Loopt and Realtime Worlds, and is actively involved with 23andMe, Xoom and the firm's venture growth activities. Prior to joining NEA, Patrick helped to grow ZEFER, an Internet services firm (acquired by NEC) to more than $100 million in annual revenues and more than 700 people across six global offices. The company attracted over $100 million in venture capital financing. Prior to ZEFER, Patrick was with McKinsey & Company, where he specialized in hardware, software, and services companies. Patrick received a joint JD-MBA degree from Harvard Law School and Harvard Business School, where he was the only candidate in his year to earn honors at both. He also served as an Editor of the Harvard Law Review. Patrick was one of only nine Canadian citizens to be elected a Commonwealth Scholar to study at Oxford University, where he earned a Master of Science degree and won both class prizes for Best Dissertation and Best Overall Performance. Patrick earned his A.B. degree at Harvard University in Environmental Science. He is a member of the New York and Massachusettsbars. Maria Cirino, Co-Founder and Managing Director, .406 Ventures Maria is co-founder and managing director of .406 Ventures, a new VC firm focused on early stage investments in security, IT, and services. She serves as an active investor, director and/or chairman in one public company and four venture-backed companies including Verecode and Bit9. Maria brings 21 years of entrepreneurial, operating and senior management experience in venture-backed technology companies. Most recently, she served as an SVP of Verisign following its 2005 $142 million acquisition of Guardenta Sequoia, Charles River Ventures and NEA-backed IT security company that she co-founded and led as CEO and Chairman. In this role, Maria received several industry honors and awards, including "Ernst & Young Entrepreneur of the Year in 2003." Prior to Guardent, Maria was Senior Vice President responsible for sales and marketing at i-Cube, an IT services company, which was acquired in 1999 by Razorfish for $1.8 billion. Prior to Razorfish, she was responsible for North American sales at Shiva, the category creating network infrastructure company from 1993 to 1997. Mark McGovern, Tech Lead, In-Q-Tel Mark McGovern leads the communications and infrastructure practice for In-Q-Tel, the strategic investment firm that supports the U.S. Intelligence Community. He has extensive experience developing, securing and deploying data systems. Prior to joining In-Q-Tel, Mr. McGovern was Director of Technology for Cigital Inc. He led Cigital's software security group and supported a Fortune 100 clientele that included Microsoft, MasterCard International, CitiBank, Symantec, CheckFree, the UK National Lottery and the Federal Reserve Banks of Richmond, New York and Boston. Earlier in his career, Mr. McGovern worked for the Central Intelligence Agency. Mr. McGovern holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and an M.S. in Systems Engineering from Virginia Polytechnic Institute. Dov Yoran is a Partner at Security Growth Partners (SGP). Prior to joining SGP, Mr. Yoran was Vice President for Strategic Alliances at Solutionary, Inc. a leading Managed Security Services Provider. He was responsible for all partnerships, global channel revenue and marketing efforts. Previously, at Symantec Corporation, Mr. Yoran managed the Services Partner Program, having global responsibility for creating, launching and managing the partner re-seller program. This program generated over 50% of Symantec Services revenue, with a partner base expanding across six continents. Mr. Yoran came to Symantec as part of the Riptech, Inc. acquisition, in a $145 Million transaction that ranked in the top 2% of all technology mergers in 2002. Riptech was the leading managed security services firm that monitored and protected its client base on a 24x7 basis. At Riptech, he spearheaded the channel strategy, marketing and sales operations, growing the reseller program to over 50% of the company's revenue. Prior to that, Mr. Yoran has worked in several technology start-ups as well as Accenture (formerly Anderson Consulting) where he focused on technolog and strategy engagements in the Financial Services Industry. Mr. Yoran has also written and lectured on several Information Security topics. He holds a Masters of Science in Engineering Management and System Engineering with a concentration in Information Security Management from the George Washington University and is a cum laude Bachelor of Science in Chemistry graduate from Tufts University.

2007 held numerous watershed events for the security industry. Innovation is needed and the money is there. Come to this session and meet the VCs actively investing in security, web, and mobile applications. Learn how VCs see the future, what they are looking for, and how best to utilize them to further your innovations. This session will conclude with a announcement about the Black Hat/DEFCON Open, a business plan competition focused on innovations in security; winners will be announced at Black Hat 2008 and DEFCON 16. Brad Stone, New York Times technology correspondent Brad Stone joined the New York Times in December 2006. He covers Internet trends from the newspapers San Francisco bureau. In addition to writing for the paper, he contributes to the Times technology blog, Bits. >From 1998 to November 2006, Stone served as the Silicon Valley Correspondent for Newsweek magazine, writing for the technology and business sections of the magazine and authoring a regular column, Plain Text, on our evolving digital lifestyles. He joined the Newsweek writing staff in 1996 as a general assignment reporter and covered a wide range of subjects. He wrote about Mark McGwire's home run chase during the summer of 1998, the jury deliberations in the Timothy McVeigh trial, and profiled authors such as Kurt Vonnegut. He is also a frequent contributor to Wired magazine, and has written for publications such as More magazine and the Sunday Telegraph in London. Brad graduated from Columbia University in 1993 and is originally from Cleveland, Ohio. Patrick Chung, Partner, NEA Patrick joined NEA as an Associate in 2004 and became Partner in 2007. Patrick focuses on venture growth equity, consumer, Internet, and mobile investments. He is a director of Loopt and Realtime Worlds, and is actively involved with 23andMe, Xoom and the firm's venture growth activities. Prior to joining NEA, Patrick helped to grow ZEFER, an Internet services firm (acquired by NEC) to more than $100 million in annual revenues and more than 700 people across six global offices. The company attracted over $100 million in venture capital financing. Prior to ZEFER, Patrick was with McKinsey & Company, where he specialized in hardware, software, and services companies. Patrick received a joint JD-MBA degree from Harvard Law School and Harvard Business School, where he was the only candidate in his year to earn honors at both. He also served as an Editor of the Harvard Law Review. Patrick was one of only nine Canadian citizens to be elected a Commonwealth Scholar to study at Oxford University, where he earned a Master of Science degree and won both class prizes for Best Dissertation and Best Overall Performance. Patrick earned his A.B. degree at Harvard University in Environmental Science. He is a member of the New York and Massachusettsbars. Maria Cirino, Co-Founder and Managing Director, .406 Ventures Maria is co-founder and managing director of .406 Ventures, a new VC firm focused on early stage investments in security, IT, and services. She serves as an active investor, director and/or chairman in one public company and four venture-backed companies including Verecode and Bit9. Maria brings 21 years of entrepreneurial, operating and senior management experience in venture-backed technology companies. Most recently, she served as an SVP of Verisign following its 2005 $142 million acquisition of Guardenta Sequoia, Charles River Ventures and NEA-backed IT security company that she co-founded and led as CEO and Chairman. In this role, Maria received several industry honors and awards, including "Ernst & Young Entrepreneur of the Year in 2003." Prior to Guardent, Maria was Senior Vice President responsible for sales and marketing at i-Cube, an IT services company, which was acquired in 1999 by Razorfish for $1.8 billion. Prior to Razorfish, she was responsible for North American sales at Shiva, the category creating network infrastructure company from 1993 to 1997. Mark McGovern, Tech Lead, In-Q-Tel Mark McGovern leads the communications and infrastructure practice for In-Q-Tel, the strategic investment firm that supports the U.S. Intelligence Community. He has extensive experience developing, securing and deploying data systems. Prior to joining In-Q-Tel, Mr. McGovern was Director of Technology for Cigital Inc. He led Cigital's software security group and supported a Fortune 100 clientele that included Microsoft, MasterCard International, CitiBank, Symantec, CheckFree, the UK National Lottery and the Federal Reserve Banks of Richmond, New York and Boston. Earlier in his career, Mr. McGovern worked for the Central Intelligence Agency. Mr. McGovern holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and an M.S. in Systems Engineering from Virginia Polytechnic Institute. Dov Yoran is a Partner at Security Growth Partners (SGP). Prior to joining SGP, Mr. Yoran was Vice President for Strategic Alliances at Solutionary, Inc. a leading Managed Security Services Provider. He was responsible for all partnerships, global channel revenue and marketing efforts. Previously, at Symantec Corporation, Mr. Yoran managed the Services Partner Program, having global responsibility for creating, launching and managing the partner re-seller program. This program generated over 50% of Symantec Services revenue, with a partner base expanding across six continents. Mr. Yoran came to Symantec as part of the Riptech, Inc. acquisition, in a $145 Million transaction that ranked in the top 2% of all technology mergers in 2002. Riptech was the leading managed security services firm that monitored and protected its client base on a 24x7 basis. At Riptech, he spearheaded the channel strategy, marketing and sales operations, growing the reseller program to over 50% of the company's revenue. Prior to that, Mr. Yoran has worked in several technology start-ups as well as Accenture (formerly Anderson Consulting) where he focused on technolog and strategy engagements in the Financial Services Industry. Mr. Yoran has also written and lectured on several Information Security topics. He holds a Masters of Science in Engineering Management and System Engineering with a concentration in Information Security Management from the George Washington University and is a cum laude Bachelor of Science in Chemistry graduate from Tufts University.

Computer security takes on more importance as commerce becomes e-commerce and business embraces the Net. However, little progress has been made in the security field, especially when vendor technology is considered. Popular press coverage of computer security orbits around basic technology issues such as what firewalls are, when to use the DES encryption algorithm, which anti-virus product is best, or how the latest email-based attack works. The problem is, many security practitioners don't know what the problem is. It's the software! Internet-enabled software applications, especially custom applications, present the most common security risk encountered today, and are the target of choice for real hackers. This talk is all about software security risk and how to manage it. The trick is to begin early, know your threats (including language-based flaws and pitfalls), design for security, and subject your design to thorough objective risk analyses and testing. This talk covers material that software practitioners, including architects and languages researchers, can use to avoid security problems and produce more secure Internet-based code. About the speaker: Gary McGraw is the Vice President of Corporate Technology at Cigital (formerly Reliable Software Technologies) where he pursues research in software security while leading the Software Security Group. He holds a dual PhD in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from UVa. He has written over sixty peer-reviewed technical publications, consults with major e-commerce vendors including Visa, Ericsson, and the Federal Reserve, and has served as principal investigator on grants from Air Force Research Labs, DARPA, National Science Foundation, and NIST's Advanced Technology Program. Dr. McGraw serves on the Boards of Counterpane, Finjan, NetCertainty, and ChainMail, Inc. He also chairs the National Infosec Research Council's Malicious Code Infosec Science and Technology Study Group. Dr. McGraw is a noted authority on mobile code security and co-authored both Java Security (Wiley, 1996) and Securing Java (Wiley, 1999) with Prof. Ed Felten of Princeton. Dr. McGraw also co-authored Software Fault Injection (Wiley 1998) with Jeff Voas. Dr. McGraw is currently writing a book entitled Building Secure Software (Addison-Wesley, 2001). He regularly contributes to popular trade publications and is often quoted in national press articles.