Podcast appearances and mentions of gary mcgraw

AI and machine learning security expert Gary McGraw joins Dennis Fisher to discuss the concept of data feudalism in LLM foundation models, what the security implications of it are, and whether narrowly focused models may help address these issues. 

Riley O'Brien (@rileylobrien) continues our interview series with Oregon Duck Hall of Famer Coach Gary McGraw (@DBCoachMcGraw)... they discuss what Coach McGraw loves about football and what has helped him thrive both as a winning football player and successful football coach in various positions he has held at various places. Coach gives insight into the mindset he wants his players to have, who some important people are to him that have been instrumental in his journey and what he has on the horizon. Coach McGraw is an excellent football mind, student and teacher of the game

Paul speaks with Gary McGraw of the Berryville Institute of Machine Learning (BIML), about the risks facing large language model machine learning and artificial intelligence, and how organizations looking to leverage artificial intelligence and LLMs can insulate themselves from those risks. The post Episode 256: Recursive Pollution? Data Feudalism? Gary McGraw On LLM Insecurity appeared first on The Security Ledger with Paul F. Roberts. Click the icon below to listen. Related StoriesBitCoins To Bombs: North Korea Funds Military With Billions In Stolen CryptocurrencyChina Calls Out U.S. For Hacking. The Proof? TBD!Episode 254: Dennis Giese’s Revolutionary Robot Vacuum Liberation Movement

Software security and AI security expert Gary McGraw joins Dennis Fisher to discuss the findings of a new AI architectural risk analysis research paper that his Berryville Institute of Machine Learning did on LLMs, the risks of black box models, and what kind of regulation would be most effective at reducing those risks. 

Guest: Dr Gary McGraw, founder of the Berryville Institute of Machine Learning Topics: Gary, you've been doing software security for many decades, so tell us: are we really behind on securing ML and AI systems?  If not SBOM for data or “DBOM”, then what? Can data supply chain tools or just better data governance practices help? How would you threat model a system with ML in it or a new ML system you are building?  What are the key differences and similarities between securing AI and securing a traditional, complex enterprise system? What are the key differences between securing the AI you built and AI you buy or subscribe to? Which security tools and frameworks will solve all of these problems for us?  Resources: EP135 AI and Security: The Good, the Bad, and the Magical Gary McGraw books “An Architectural Risk Analysis Of Machine Learning Systems: Toward More Secure Machine Learning“ paper “What to think about when you're thinking about securing AI” Annotated ML Security bibliography   Tay bot story (2016) “Can you melt eggs?” “Microsoft AI researchers accidentally leak 38TB of company data” “Random number generator attack” “Google's AI Red Team: the ethical hackers making AI safer” Introducing Google's Secure AI Framework

We're aren't recording this holiday week, so enjoy this PSW throwback episode! Main host Paul Asadoorian selected this episode to share as it's still relevant to the hacker community today. PSW366 was recorded June of 2016 with Gary McGraw. 

We're aren't recording this holiday week, so enjoy this PSW throwback episode! Main host Paul Asadoorian selected this episode to share as it's still relevant to the hacker community today. PSW366 was recorded June of 2016 with Gary McGraw. 

A few losses, a win, AAC CHAOS, fun football coaching hires, and even a section on textbooks! Timestamps: 0:00 - 7:45: Initial recap 7:45 - 15:50: What went wrong with the men's team? 15:50 - 19:37: Legends Days win over Cincy 19:37 - 28:30: Basketball Themes of the Week 28:30 - 31:50: Basketball Previews 31:50 - 37:08: Around the AAC 37:08 - 44:37: Women's Basketball 44:37 - 49:02: Craig Suits hired as TU's new LB coach 49:02 - 53:15: Gary McGraw hired as TU's new cornerbacks coach 53:15 - 56:04: Lovie Smith and Dennis Allen are NFL head coaches 56:04 - end: TU "buying" textbooks for freshmen --- Support this podcast: https://anchor.fm/thegoldenhurricast/support

01:03 - Not Giving Into Peer Pressure 02:31 - Reaching Outside of the Accessibility World (Demystifying Accessibility) * Everyday Accessibility by Dr. Michele A. Williams (https://www.a11yproject.com/posts/2021-06-14-everyday_accessibility/) * Thinking About Disability Until It's Everyone's Normal Way of Thinking * Power Structures and Erasing Innovation * Recognizing Specialty * Cormac Russell: Four Modes of Change: To, For, With, By (https://www.skybrary.aero/bookshelf/books/4510.pdf) 12:37 - The Real Work of Accessibility: Organizational Change * Taking a Stance and Celebrating Innovation * Inclusion 17:52 - Avoiding Dysfunctional Ways of Working * The 5 Principles of Human Performance: A contemporary update of the building blocks of Human Performance for the new view of safety by Todd E. Conklin PhD (https://www.amazon.com/Principles-Human-Performance-contemporary-updateof/dp/1794639144) * Context Drives Behavior * How Leaders Respond Matters * Set Up The System So The Right Thing Is Easy 26:46 - Moral Obligations and Social Norms: Top Down * PAPod 36 - Martha Acosta Returns - The 4 Things Leaders Control (https://preaccidentpodcast.podbean.com/e/papod-36-martha-acosta-returns-the-4-things-leaders-control/) * Roles * Processes and Practices * Values/Norms * Incentives 31:20 - Personas: Translating Ideas and Principles Into Action * Software Security: Building Security In by Gary McGraw (https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705) 37:04 - Putting Accessibility Into Action * Knowledge Building: Iterate * Giving Access * “Appreciate the bunt.” * Clearer Consequences * Greater Than Code Episode 162: Glue Work with Denise Yu (https://www.greaterthancode.com/glue-work) 51:06 - “Disability Dongles” – Liz Jackson (https://www.cbc.ca/radio/spark/disabled-people-want-disability-design-not-disability-dongles-1.5353131) * The Lows of High Tech – 99% Invisible (https://99percentinvisible.org/episode/the-lows-of-high-tech/) * Infrastructure Disables Blind Navigation * The Models of Disability (https://www.disabled-world.com/definitions/disability-models.php) * The Pretty One: On Life, Pop Culture, Disability, and Other Reasons to Fall in Love with Me by Keah Brown (https://www.amazon.com/Pretty-One-Culture-Disability-Reasons/dp/1982100540) Reflections: Michele: Finding room for everyone to provide their perspective. John: The real solutions are infrastructural. Rein: Accessibility has to be built-in throughout the process of building and designing software. This episode was brought to you by @therubyrep (https://twitter.com/therubyrep) of DevReps, LLC (http://www.devreps.com/). To pledge your support and to join our awesome Slack community, visit patreon.com/greaterthancode (https://www.patreon.com/greaterthancode) To make a one-time donation so that we can continue to bring you more content and transcripts like this, please do so at paypal.me/devreps (https://www.paypal.me/devreps). You will also get an invitation to our Slack community this way as well. Transcript: REIN: Hello and welcome to Episode 257 of Greater Than Code. I'm your co-host, Rein Henrichs, and I'm here with my friend, John Sawers. JOHN: Thank you, Rein, and I'm here with our guest, Michele A. Williams. She's the owner of M.A.W. Consulting (Making Accessibility Work). Her 16 years of experience include influencing top tech companies as a Senior User Experience Researcher and Accessibility Consultant, and obtaining a PhD in Human-Centered Computing focused on accessibility. A W3C-WAI Invited Expert, international speaker, published academic author, and patented inventor, she is passionate about educating and advising on technology that does not exclude disabled users. Welcome to the show, Michele. MICHELE: Thank you so much, John and Rein. Thanks for having me. JOHN: You are very welcome and we'll start the show as we always do by asking our standard question, which is what is your superpower and how did you acquire it? MICHELE: I don't think I have the most creative answer to this. [laughs] I kind of hate those, “Oh, tell us something fun about yourself.” But the thing I thought about that came to mind was my ability to not give into peer pressure. [chuckles] And some ways that manifests for instance, I have a technology background and yet I'm almost the least technical person like I was probably one of the last people to get a smartphone. I love my flip phone and you couldn't take it from me. So this idea that everyone's doing this social media, all of that, I just joined Twitter last year. So I do things dagnabbit; when I need it, not necessarily just because there's groundswell. So I would say that's pretty good superpower. JOHN: All right. So you gave some examples there in your personal life with technology and social media. I assume that that's also a fairly powerful capability in a business context as well. MICHELE: I think so. Particularly when you're advocating for say, disabled people who aren't necessarily always advocated for, it definitely helps to have a more strong will and the ability to take a stance that turns others rather than consistently feeling like you're being turned around about what others want you to do. So I agree with that, thanks. JOHN: [chuckles] Excellent. And so it looks like you've been involved in the accessibility world on a number of different angles and capabilities and so, what have you found to be the most impactful of those? MICHELE: I tend to want to reach people who are outside of the accessibility world. Unfortunately, I think sometimes accessibility people can tend to talk to other accessibility people a little bit too much. I tend to like to recognize that it is something that everyone in the world should know a little something about. It is an expertise, but there are some ways that everyone can do it. I just recently wrote an article for A11Y Project called Everyday Accessibility. That's when you're making a Word document, for instance, using the Ribbon, using headings, and buttons, or bulleted lists. So I tend to want to bring everyone on board, and demystify accessibility and make it more attainable and easier to grasp and that feels so much like this expert field that takes years to break it down to those tangible pieces that still make a big difference. REIN: One of the things that I hear a lot when abled people are advocating for accessibility is, “Sure, this helps disabled people, but you should care about it because it helps abled people, too.” How do you feel about that? MICHELE: So that's a conversation that's been coming up a lot, too and I have a particular colleague that sent me their response, for instance and it's a stance that I don't particularly align with because the problem with that stance is you end up keeping the status quo. So there are real consequences to being in a society that does not value disability and you, as someone who doesn't have a disability, do not feel those effects. So until we are a more equitable society, we do have to call out the characteristics that make someone have negative effects. So the reality is yes, there are things like situational impairments, which is when the situation you're in mirrors the impact of a disability such as walking and texting—you're not seeing out of your periphery—or there's temporary disabilities, like you've broken your arm, and then there's just the natural process of aging. All of that is true and you can also figure designing for your future self for that last part. But again, I think that we have to be very mindful that right now we need to overemphasize and think about disability until it is our normal way of thinking. REIN: It also seems like it's conceding the ground that doing what's right for disabled people is enough of a justification. MICHELE: Explain that a little bit more, what you mean by that. REIN: So when you say it helps disabled people, but it also helps abled people, it seems to me like you're saying it's not enough for me to just say that this helps disabled people. I have to give you another reason. MICHELE: Absolutely, absolutely, and that ties back into ableism and the invisibility of disability and the devaluing of disability. Like you said, it's like a disabled person is not enough. It has to also include absolutely right with that way of thinking and that's another reason not to go that route of segmenting it in that way. JOHN: I think this ties into something that you had mentioned earlier that I find really interesting, this idea that able people are doing something for disabled people. MICHELE: Yes, and that's the big thing. When you say like, “What's been on your mind lately?” That's the one that comes to mind and it comes to mind for a couple of different reasons. None of them new, none of them – I did not discover any of this; people have been saying this for decades upon decades. But for me, my personal experience, I will give a talk, an accessibility talk, I might explain something about say, screen readers, or some other technology, or a particular disability and then the response is, “Well, it should work this way,” or “We should do this.” There's a lot of solutioning around what I've just presented without any context of ever having met say, a disabled person, or particularly a person in the disability community that has been talked about and that comes, I think from this idea, a couple of things. One, again, this idea of a power structure where, “Well, I'm doing this for you, disabled person.” Not understanding the empowerment that the disabled person has, or this misunderstanding and again, invisibility of disability in spaces like tech innovation and not understanding, okay, that touch screen you're using, that text-to-speech you love, those captions that you use at the bar; all of these things [chuckles] came from disability. We erased the innovation that came from someone designing for themselves and designing for their ability and it's assisted technology and therefore, it's an add-on when it's for disabled folks, but it's innovation when it's for people who don't have disabilities. I think we need to have a lot more discussion about this, particularly in spaces like user experience, where we're supposed to be all inclusive and all about the user. There's some ways that we really are reinforcing this mindset and this power structure, for sure. JOHN: So I want to check my understanding of what you're saying, just to make sure. Are you saying that when you present a problem, accessibility problem, the abled people, the other UX designers, the other people who want to be helpful jump in with, “Oh, we can do this, we can do that, or that” rather than saying, “Well, let's go talk to some disabled people and find out what they need and let that guide how we solve this problem rather than us just being like, ‘Oh, it would be great if dah, dah, dah, dah, dah.'” MICHELE: So to two stages to that. For the first one yes, that's the first thing that happens. In the assistive technology, broad accessibility world, this manifests in some very familiar ways. The first is the blind navigation. Every year, some engineer thinks they've solved blind navigation, pedestrian navigation. Meaning they've created a belt with vibrations on the left and right with an Arduino, or something and they go, “You don't need a cane anymore because it's going to vibrate left when you need to turn left and right when you need to turn right, and you can walk like a sighted person,” or some variation of that—robot guide dogs, smart cane, something like that, or the sign language gloves, or the stair climbing wheelchair. There's these sort of assistive technologies that always come out with very little context around whether it's actually happening, whether it's actually needed. But then there's something John, about what you said, too about let's see what people need and we'll build it. We have to be careful even with that, too because that assumes that I can't build for myself and that's not true either. [chuckles] Disabled folks are the most innovative people because the world is not accessible. There is a such thing as a specialty. Like I have an accessibility specialty, I have a design specialty, but I think we often think that's someone without a disability. No, a disabled person can also have these specialties, or they can be someone who has the idea of what they need and you're partnering with them with your specialty in say, design to create those solutions. So again, I think we have to be very careful about our wording and our viewpoints of what's actually happening. REIN: There's a framework that I've been using for this that actually comes from aviation safety and there's a European aviation safety magazine where Cormac Russell published an op-ed called Four Modes of Change: To, For, With, By. The idea is that change to is the mode where change has done to us without us. So this is a sort of authoritarian top-down thing. We've got no say in the matter. It's not even necessarily for our benefit. Then change for is a benevolent top-down approach. “I'm trying to help you, but I'm the one who decides what to change.” Change with is a participatory co-creating the change. And then change by is change done by us for us where if I'm, for example, a manager, my role would be find out what support you need so you can make the changes you want to make. MICHELE: Absolutely. Perfect. Thank you. I knew there was some reference. This appears in disability justice spaces, in any kind of space where you're talking about inclusion, we know that sometimes inclusion can be code for do things the way that the current power structure does it. Do things the way that the current people in charge of comfortable and assimilate rather than no, we're actually going to allow you to be your authentic self and come into these spaces. Part of the reason this has also been on my mind is because I fit into some of these other spaces as a woman and as a Black person. I think that sometimes my cohorts think well, because we have experienced some of that in our lives, we are immune to them giving that out to others. So as a Black person, a woman, even someone with intersectionality, I can't possibly do that to do was done to me to someone else. But we don't realize how much ableism is steeped into our society, such that it is very easy to do that with disability and not even realize it and not even realize you have the mentality that someone is inferior to you, incapable, and particularly when the disability has to do with neurological, or anything that we really don't understand. But even still, even that kind of categorization can go away because the idea is that any sort of disability triggers usually some sort of ableist response and these things can happen even if you've experienced it yourself. JOHN: So like so many of the other things we discussed on this podcast, it sounds like the real work of accessibility is organizational change. It's getting the power structures to change to allow these things to come into being rather than forcing them in there, or trying to – like you were saying, not forcing the change on the disabled people to fit in. MICHELE: I've been thinking about the roots of this, for sure. And thank you for that. Unfortunately, capitalism drives a lot of this and again, if we're talking specifically more to tech worlds and say, including accessibility into your tech, part of that is just because the buy-in sometimes comes from the internal stakeholders, not the end customer. Again, if you're not mindful, not careful, and don't have leadership that are careful. So the dirty little secret is for instance internally yes, you may be making education software for students, but you're really marketing to the teachers who are going to buy it, and you're then even more so really marketing to whoever the management structure is internally who's going to approve it to even be on the market. So you get further and further away from actually helping a student because you have all these other checks that it needs to impress, or you need to make the case for similar to what we were saying earlier, you have to make the case for disability. For instance, you have to say, “Well, blind people to do this.” You get this pushback of, “Well, blind people don't do that so we don't have to worry about it and you keep moving on.” So there is a shift that is hard, but I do think it goes back to what I was saying earlier about taking a stance. I think that people do need to individually start to take the stance that that may be how we do things now, or how it may even need to be done. But we do want to be careful buying into that completely because it's going to perpetuate the same. We know that that power dynamic internally of who the stakeholders are, again, also sometimes doesn't reflect the diversity of who we are designing for. We're going to keep getting the same result if we're not super mindful and super careful to take the stance that we are going to care about the diversity of the end users, the people that ultimately will have their hands on what we're making and celebrate that oftentimes those best solutions, again, come from the community who are doing the work. So celebrating the innovation that comes from being tied back to those end users rather than thinking the solution has to come from within. So changing that mindset around this difficult, but it takes taking a stand and recognizing it, too. JOHN: So it's trying to change my thinking around to the by style change around accessibility and my context is on the team of web developers who develop apps that are eventually used by some disabled people. So I'm trying to think about obviously, we need buy-in from the power structures as a company and to spend time on the work, but deciding what work gets done needs to be – that's where the inclusion comes in and I'm curious about what the steps are there that helped me get to that point where those people are included MICHELE: So here's a few ways that that comes about. One of it could just be, okay, this is the feature we're doing and we're going to make sure that this feature that we're doing—however that came about—is assessable. That can come from anything from how you're going to code, like making the decision to use standardized elements that come with accessibility built-in, or whatever knowledge building you can do internally to just bake it into how you are creating that feature. Then there is what is the feature and making sure that that, if nothing else, is as inclusive as possible, or at least not exclusionary. You're not making a feature that will exclude people. Again, that comes from an understanding of who is the audience and making sure everyone understands that. No one, I don't think has fully solved for how to make accessibility the thing that everyone knows does – it's difficult. It takes time. It takes training. It takes science from top down as well as then knowledge from the bottom up. It's a journey. But I think that there are places where decisions are made, that you know you're going one way, or the other, whether it's, I'm using a div, or a button, [chuckles] whether it's we're going to wait to put captions, or we're going to go ahead and build in time to do that, whether it's, again, we're going to put in this very visual feature, or we're going to take a little bit more time to understand how to have an alternative to that feature. So there's lots of places where you can be very intentional, that you are going to take the steps to learn about accessibility from your point of view and then incorporate it. REIN: So let's say that your VP of engineering mandates that every project has to meet a certain accessibility score, or something like that, but you don't train the developers. So you were saying top down and bottom up have to come together. I have seen things like that lead to some pretty dysfunctional ways of working. MICHELE: I can see that [laughs] and I think part of that comes from a misunderstanding that accessibility is not just something you say we're going to do. Like, it's not like we didn't do it because we just simply forgot, or we didn't do it just for reasons that can then you can flip a switch and turn it on. People aren't doing it because they weren't taught it, they aren't fully aware of the diversity of it, they aren't aware of what's required, and then leadership isn't aware. Therefore, that steps have to be taken. So there's a lot of rally around let's be inclusive, let's be assessable, but then there's less so when you learn oh, that means we have to maybe take half of the time to train and disrupt our workflow, or we have to do our workflow differently, or we have to go back to the code we've already written and been using for years and fix it. Those are some real decisions and those are some real consequences sometimes to that, too when you're a business that is expected to constantly move forward, but they are decisions that have to be made in order to actually put it in place, not just say you are for it. REIN: Todd Conklin has a book, The 5 Principles of Human Performance, and there are two that I think are especially relevant here. One is that context drives behavior. So if you want to know why someone is behaving the way they do, the thing to look at is the context that they're operating in, and the other is that how leaders respond to matters. When I think about this, I think if you have a design systems team, is that design system built to be accessible from first principles? Is the easy thing to do grab a component that's already designed to be accessible, or is the easy thing to do is throw a div on the page? MICHELE: Yeah, and there are, I think that the number one takeaway is none of it is easy because all of it is late. So there are initiatives like teachaccess.org; we really need to be embedding it in how we even learn the things that we learned, because then it does feel like we're almost disrupting industry to do this. When in reality, we just learned it wrong. [chuckles] We learn to cheat and to make it look and feel the way I want it to look rather than learning that there was a reason there's this thing called a button versus this thing called a div. Now, recognizing, too, though that standards come after innovation. So you can't standardize something that hasn't really even been explored, or even invented yet. So we understand that as you want technology to advance, it's more difficult to then say, “Okay, there's a standard for this and that will guarantee us accessibility.” So for instance, using native HTML elements isn't all, or when we look at mobile, native mobile elements is more difficult to do. This is still a new space, a growing space and so, sometimes we don't often know what that looks like. But that then requires again, that awareness piece of what disability looks like and this is where they're trying to catch augmented reality and virtual reality with XR Access and accessibility initiatives. Because if you're at least aware of the diversity of disability, you can catch it early enough so that when the standards come out again, we're making it less hard. Someone on a panel I was on last week, talked about like tech debt and this idea of well, it can be overwhelming. Well, if you have less things you need to maintain, it's less overwhelming and that comes from using standards and being aware of standards. You lessen your tech debt; that becomes part of the overall responsibility of standards bodies, for instance. So there are some again, tangible steps that I think just need more awareness and talking about over and over again until we get it right, that can be put in place, should be put in place. Hopefully, it will be put in place to make this less daunting over time. REIN: Yeah, and then on the how leaders respond thing. If someone builds something that's not accessible to you, do you punish them to just drive that behavior underground, or do you say, “Why weren't they able to do it? Do they not have the right expertise? Were they under too much time pressure?” How can I make the context better so that people are more likely to do the behaviors that we're trying to lead them towards? MICHELE: Yeah. Thinking a lot about that, too. So I tend to have two ways. I guess, it's sort of the carrot stick kind of thing, or maybe some other dynamic like that, but we know some people are going to get the altruistic side. Again, awareness. They just weren't thinking about disability. It's not something that's in their life. It's not something that was exposed to them. Once someone is exposed and understands a little bit of the work that needs to be done, they're bought in and they go for it. There are other folks that just are ablest. They just will not care. If it has not affected them personally in their lives, they are going to look – maybe like you said, maybe their motivations are something like money, even though they don't realize they're excluding more consumers. Whatever those things are, they're just not going to buy in. That's when unfortunately things like the threat of lawsuits, or bad publicity has to be the way that you get those folks to turn around, or again, you just do it. [chuckles] So that's when maybe the folks on the ground can just do it regardless and the one thing, I think about is this video that went around with this little baby and there was a parent and a teacher aide. I presume the baby was supposed to be doing their sound it out cards, flashcards, but didn't feel like doing it. The little baby sitting on the floor back turned, the mom and the teachers, they did it. They did the sound out cards. The baby's looking back still playing, but keeps looking back and eventually, the baby goes, “Wait a minute, that's my game,” and next thing you know, they're playing the game. So there is something also, too to like you said, maybe it's just a peer pressure thing. No one else seems to be doing accessibility so why do we have to be the ones to do it? But if the cool kids start doing it, if the company start exposing that they are doing it, if there's enough groundswell, people will just get on board with the thing that everyone is doing, too. So I think maybe there are three ways now—maybe I've added a third in my mind. There are ways – as a user experience person, I say user experience the person that you're dealing with. Like you said, get in their head, what are they thinking? What do you think they would want? But ultimately, understand that it isn't always going to be because it's the right thing and the faster you learn that, the more you might be able to actually get some results, too. JOHN: Yeah. I like what you said there, Rein about set up the system so that the right thing is easy and I think obviously, there's a lot of work to get to that point where you have the whole system built around that. But once you can get there, that's great because then, like you were saying, Michele, there's so much less effort involved in getting the thing to happen because that's just how everyone does it and you're just pulling the components are, or copy pasting from the other parts of the code that are already accessible so that it that stuff is already built into the process. And then it doesn't have to be quite so much of an uphill. Like even just uphill thinking process where you have to think differently than you used to in order to get the thing done in an accessible manner. MICHELE: Yeah. Again, unfortunately it's not embedded within us to do this, but maybe the next generation will, maybe the next couple of generations If we keep talking about it and we take the effort to start to shift ourselves, maybe it will be the thing that people can't even remember when they didn't do it. I do feel like we're in a cool moment right now where that might be possible. I'm hearing it more and more. I didn't learn it in school when I was doing computer science and software engineering, but I know some students now that are coming out that are. So I'm kind of hopeful, but the conversations really need to be said aloud and often in order for it to happen, for sure. REIN: You mentioned the larger structural problem here, which is that designing accessible software is a moral obligation and we work in an economic system that's not optimized around moral obligations. Let's put it that way. MICHELE: Yeah. [laughs] That will dollar. [laughs] I think again, there's that school, are we changing that, or we're going to work within it. I think you can do both. Some people should – we should really be tackling both, any kind of inclusion efforts, same thing. Do you do it from within, or outside? Do you work within the structure, or do you dismantle it? I think there's benefits to both. I think there's benefit to basically editing what isn't working about what we're currently doing. There's always an improvement and I tend to look at it that way. It's not so much as it's down with this and up with that. I think we just need to recognize, as human beings who can evolve and do things different, learn, grow, and get wiser, let's just do that. Let's do what we're doing better and when we recognize that we have a negative effect, let's solution something that is going to work better and just recognize that and do better. It's okay to edit. So I don't think we have to toss our hands up and say, “Oh, we'll never get there because of how this is.” That was invented, too. All of these things are constructs. At some point, the way we do things wasn't the way we did things; we did things completely differently. Empires can fall and rise and be redone. So we don't have to stay stagnant, but we can, again, start to make these changes. REIN: I think that even within a capitalist system, there's still a place for social norms. There's still a place for deciding which behaviors we're going to accept and which behaviors we're not going to accept and what we're going to do about those. I just wouldn't expect that to be the CEO's job. I would expect that to be the entire community of the company. MICHELE: The entire community with the CEOs. So the two companies that are the pillars, for instance, of accessibility, Microsoft and Apple, you hear their CEOs say, “We do things accessibly.” So it's not necessarily on them to forego stakeholders and stock prices and all of that. Certainly, you can't do too much if you don't have a company, so they have to do what they have to do, but there is still an okay from that and that's part of that top-down. Again, we need training. Is there money in the budget for training? That has to come from management. So there is still a recognition and it's just always beneficial when everyone is on the same page that this is how we operate; the message then doesn't ever get disconnected. It just shifts to the role of a person and they put it into practice in their own particular way. REIN: Martha Acosta, who is one of the few original women in safety science, she says that there are four things that leaders can control, or have leverage over—there's roles, there's processes and practices, there's values, or norms, and there's incentives. So I think this ties in with what you're saying about what the CEO's job could be. MICHELE: Versus stock prices? Yeah. [laughs] Versus yeah. Which unfortunately is, again, I think it's even upon the CEO to take a stance on what they are going to do with their company and their time. Because certainly, the pressures are coming to them sometimes not necessarily emanating from them. So I think there is opportunity, this is why there's opportunity for everyone to evaluate what are we doing. Like you said, we can decide what is important, how are we going to go about this? And if enough people start to be even more mindful than they were yesterday, shifts are going to inevitably happen. And people who disregard others, discriminate all of these other negative effects that we've seen will inevitably have less effects because the norm will be these other ways that we're trying to include and get better as a society. REIN: So one of the things I like to think about when we have guests, or ask guests to think about, is to think about this challenge from the perspective of a few different people. A few different personas. So I'm a manager, I'm a line level manager and the people that report to me are engineers. What can I do? Or I am a mid-level engineer, what can I do? How do we translate these ideas and principles into action? MICHELE: So what is to understand that there are, for instance, guidelines like there are web accessibility, web content, accessibility guidelines, or author and tool guidelines, because we do need to define what it means. At some point, there needs to be metrics and there needs to be measures that need to be placed to understand, did we do this? One way to do that is to translate those into those various roles. Some of that work has happened and some of it needs to happen. So there's understanding the tangible actions that can and should happen. But I think also, it's simply a matter of deciding that accessibility and inclusion and particularly in my world, disability is just going to be a part of everything. Every check that you make for whatever your role is. You were talking about different frameworks for different levels. Certainly, that's true. I think that we tend to separate out disability from those kinds of conversations as if it's different. It's not different. Making decisions for how you're going to manage your employees should be inclusive of disabled employees. The tools that you want them to use, the ways you want them to work, how “productive” you want them to be, how you're going to measure that. All of that should be mindful of the variety of people that you are supporting. Same with I am a developer so that means that I am writing code on behalf of a group of other people and that means I need to know who these people are. It's funny you say personas because—I know that's not probably what you meant, but in my role, obviously that triggers the user experience personas, which I'm not a fan of. That's all another podcast. [chuckles] But when we're talking about that so in user experience we're saying, “Oh, we're designing for these people, these target audience per se.” It'll be John who's the manager and he does this on his way to work and then there's Mary. Maybe she's a stay-at-home mom, but uses it this way. Dah, dah, dah, all these other characteristics. And then we'll go so now we need disability personas. No. [chuckles] John can also be quadriplegic. Mary can also have multiple sclerosis. So again, it goes back to the idea that we have separated out and made invisible disability. Oh, taboo. Even the word oh, it's taboo. Can't talk about disability. REIN: Yeah. Like imagine having a separate persona for a woman, or a Black person. MICHELE: Thank you. We don't do it. We don't do the whites only school and we'll get to the Black people later. We know that intrinsically, but we do it in everything. So same thing particularly when we're talking about inclusion of disability in all of these phases of say, an organization, we go, “And disability.” No, no, no. If we really want to think about it, disability is the equalizer. Anyone can become disabled at any moment at any time, it does not discriminate. It is the one thing that any human being can become at any time and yet we still separate it out as if it's this taboo, or a terrible thing. Now, again, there are negative outcomes of disability. Not saying that, but we have this tendency to segment it in ways that just absolutely don't make sense and aren't necessary and are detrimental and make it more work, so. REIN: There's a book called Software Security by McGraw. It's kind of old now, but the premise is still very relevant, which is that to make software secure, you have to build security in at the beginning, and you have to keep constructing and repairing it throughout the software development life cycle. So it starts with design, but it includes, you talked about different touchpoints in the life cycle, where you want to sort of check in on whether you still are as secure as you think you are. So that includes design. It includes code review. It includes testing. I wonder if this sort of an approach works for accessibility, too; we just sort of bake it into the fabric of how you design soft. MICHELE: It should be how it works. The moniker is shift left. That's absolutely what has to happen to do it well. You have to be thinking about it all the time. Everything that you do. So that's how my mind works now. It took a long time to do that. But now when I'm sending an email and I put a picture in, “Okay, let me put the alternative text.” I'm making a spreadsheet, “Okay, let me do the heading.” Like, I'm always constantly checking myself as I'm doing anything. “Okay, if I'm doing a podcast like this, is there a transcript, or are there captions?” I'm just constantly doing these checks. That takes time to build up, but it is the way you have to do it to make sure nothing slips through the cracks so that all the hard work that say, the design team, or the dev team did, and then QA comes in and doesn't know how to test it. We're all interdependent so it has to be everyone all the time, all throughout the process in order to get it from end to end to work; the weak link in the chain will break that. So very much how it has to go. REIN: It also seems like this there are small, actionable things that you could do to move in this direction. So for example, when you do code review, ask some accessibility questions. Maybe build yourself an accessibility checklist. Now I don't like checklists, but that's a whole other podcast, but it's better than not thinking about it. MICHELE: Yeah. As you're learning something, sometimes the checklist is helpful because you don't yet have it in your own mind and you don't want to forget. Now you don't want to – I'm sure what you're saying is you don't want to tie yourself to the checklist, too. REIN: Yeah. MICHELE: But as you're building up knowledge, yes, there are so many just tangible did I do this things that you might as well just keep a sticky at your desk, or however you want to do it and just start doing those things. Again, we don't have to keep talking about it. It doesn't have to be this revelation of inclusive buy-in in order to put captions on your videos. [chuckles] These things, you know. REIN: Yeah. This also seems like an opportunity for tech leads to do leadership to say, “Hey, so I looked at this and the contrast ratio is a little bit low. Do you think we could punch this up in a code review?” MICHELE: Yeah. The only thing, though is back to the beginning—being careful about these directives, making sure you understand the directives that you're doing because again, a lot of times, particularly when people are new to accessibility, they overdo it. So they hear a screen reader and they think it needs to read like a novel so they want to add in a summary of the page in the beginning, a summary of this section, and they want to overly describe the alternative text, the image down to the pixels. There's some give and take there, too. There's some learning you want to do, but you can iterate. You can learn one piece, get comfortable with it. Okay, now that this next piece. Knowledge building it's just what it is, is what it is. So there's absolutely knowledge building that you can do to get more comfortable and we need everyone to do this. There's certain parts that should be specialty, but unfortunately, the specialists are doing what everyone else should be doing the basics and so, we've got to shift that so that the specialists can do the specialty stuff, the harder stuff that may not quite get – [overtalk] REIN: That's exactly the same problem is having a security person on your team. MICHELE: Absolutely. So it sounds like you all have a focus on implementation. Like you're implementing and you want to know how best to make – I'm turning it on [inaudible]. [laughs] So you want to know how best to make it work for you, or is that what I'm hearing? REIN: I guess, I lean towards practice. I want to understand the theory, but then if I can't put that theory into practice, the theory is not very useful to me. If that makes sense. MICHELE: Absolutely makes sense. My company name is Making Accessibility Work and a lot of what I say is put accessibility into action, because I am very much tied to this idea that you can be absolutely on board with accessibility and not have any clue how to do it. [chuckles] And then the inverse can be true, too. You can absolutely do not care, but because you care about semantic HTML, you're doing more accessibility than the person who cares. There are these places that people can be in their understanding that neither one is actually, or you think one is helping, but the other actually is. I think people think you have to care. You have to want to Sometimes, you know what, you don't. Sometimes I just need you to fix the color contrast, [laughs] or yes, it's great that you care, but in doing so, you're actually, co-opting a message. You care a little too much and you are actually not letting disabled people speak for themselves because you've now discovered accessibility and now, you're all about it. So I think we've got to meet in the middle, folks. Let's care, let's do, let's demystify, but also understand there are some harder problems to solve, but understand where those are. Putting headings on the page is not the hard problem we need to solve. Just put the headings, making math and science more accessible, particularly when we've made it so visualization heavy. Yeah, let's go over there. Let's tinker with that, folks and that's where we need to be putting all this massive brain power. We've had Web Content Accessibility Guidelines for 20 years. HTML5, which addressed a lot of semantics for accessibility, has been out a decade. Y'all, hurry up and learn that and let's get that going so we can get over to this harder stuff. Get this brain power over to these more complex issues and newer innovations. JOHN: Yeah. I think if you're one of those people that cares, like you were saying, a little too much, or perhaps just a lot, you can end up with option lock because you want to solve all the problems and then you're just like, “But what do we do? What are we doing here?” Like, I'll just put the headings in, put the alt texts in, we'll start there. You've got to get moving. And that's partly where I'm coming from with some of the questions I'm asking is that process of just getting that boulder rolling a little bit so that it takes a little bit less effort to keep going in the future. MICHELE: Yeah, and there's no perfect way to do it. I think everyone's looking for okay, well, how do we do it? You're going to spend a year on how and again, miss the year of what and doing it. It is messy because you're hiring people, you've got people working who don't know how to do it; it's going to be disruptive. We didn't come in with this knowledge. I know you didn't hire people to then train them up and send them to school but unfortunately, you've got to do that. People need to know what to do differently, what they're doing wrong. So some of it is going to be experimental, iterative, and messy, but in the end, start giving access. We talk about language even. Do we say disability? Do we say people with? Or do we say disabled people? And do we say differently abled? Even these – okay you know what, the reality is you do all of that and still don't get access. What would be better is if you have a person with a disability at the table to tell you themselves, but you're worried about language and yet can't even hire someone with a disability. So again, it's getting out of these little zones that we sometimes get in and recognizing the real work that needs to be done and can get done today. REIN: I think there's a real temptation to fixate on the hard, or interesting problems in the tech world that might be wanting to build this distributed database with five nines of durability. But your API server has a bug where 1% of the requests are an error. So if you don't fix that, your five nines over here are useless. MICHELE: The flashy thing, yes. [laughs] The shiny thing, we want to gravitate. Oftentimes, there's no glory in what was considered the grunt work, the foundational work. But I think that's where leadership could come in. I heard someone say years ago, “Appreciate the bunts” in baseball that oh, chicks dig the home run. We love the home run, but sometimes, that bunt wins the game. But that's where a leadership can come in and appreciate laying found a scalable foundation of code that does not add to tech debt, or the diminishing of the bugs that you've kept rolling year after year after year, you close 50 of them. That's where, again, a change in mentality of what we value. Sometimes again, accessibility is not put at the front because sometimes it's just code changes that aren't visible to users. So users are going to think you spent a year and didn't do anything to your code, or some of them will. But again, I think that's a messaging and that's an appreciation of really trying to do, and that's even appreciating software engineering versus just COVID. I have a software engineering degree and that's when I realized, “Oh, we're not just supposed to sit down and start hacking away and make sure it runs for the teacher to check it and we're done.” There's an engineering to this, but you have to value that. But also, I think there needs to be clearer consequences like speaking of engineering. If it's a building, we know the building can collapse. I don't think sometimes we appreciate what can happen if we don't do that foundational work and I think that's a shift overall and then technology and appreciation of that work. REIN: And I appreciate what you did there, which was to subtly redirect me back to the context and to how leaders respond. Because if building that five nines database gets you promoted and fixing that bug doesn't, what are people going to do? MICHELE: Yeah. So what's valued and that's set. Someone sets that. That's made up. You can value whatever you want to value. You can praise whatever you want to praise. Complete tangent, but that takes me to my high school where they were intentional that the students who performed well were going to be recognized by the principal because oftentimes, it was the misbehaving students that went to the principal's office. So the principal knows all the misbehaving students, but doesn't know any of the students that are doing the actual work that the school is asking of them to do. Not trying to get too much into school systems but again, it's an intention that you will honor the work, the unseen work. We do these in other spaces; the behind-the-scenes work, the unsung heroes. That's an intentional step that you can take as well to celebrate that, too. REIN: We have an older episode on glue work and how valuable glue work is, but how rarely it's acknowledged, or appreciated, especially by leadership and also, how it has a gender characteristic, for example. It seems to me like it might be easy to put accessibility in the category of glue work rather than in the category of like you were saying, foundational things that make us have a reliable product and a product that works for everyone. MICHELE: And I don't know if how we've presented technology to consumers plays into that as well. Again, the new flashy wow. The other day, I just looked down at my keyboard on my computer and I just thought about we just take such advantage of the fact that I'm just sitting here typing on the keyboard. Someone had to decide what the material would be that doesn't scratch my fingertips. Someone had to decide how to make the letters so that they don't rub off, or how they light up in the back. There's so much detail that goes into almost everything that we use and we just get so dismissive of some of it. “What's next? Eh, that's okay.” So I think, again, it's a human condition. It's the human condition to appreciate what people are doing for one another in front and behind the scenes and absolutely. But I think that also ties into, again, ableism, too. We see in assistive technology, or an adjustment because of disability as okay, that thing we can do later. But then when it becomes Alexa, when it becomes the vacuuming robot, when it becomes the new latest and greatest thing, then it's front and center and everyone wants to work on it. But it's the same technology. [chuckles] It's the same reasons that you should do it. It just happens to benefit everyone. It came out of disability, but you didn't want to think about it until you've found a benefit for all the “others.” Again, I think that's a human condition we have to correct. REIN: There's a thing that happens once a month on Twitter, which is someone will post an image of pre-sliced vegetables and they'll say, “What kind of a lazy loser needs pre-sliced vegetables?” And then someone will respond, “Disabled people need pre-sliced vegetables.” And then the response to that will either be blocking them, or saying, “Oh my God, I'm so sorry. I had no idea.” I think that there's maybe that dynamic going on here as well. MICHELE: Absolutely what I was thinking about, too, like Nike's shoes recently that you don't have to tie. Well, who doesn't want to sit down and tie their shoes? People who can't sit down and tie their shoes, but that was also a marketing issue. They refused to market it for disability. Like where were the disabled people? Where were the people with chronic illness, or chronic pain, or body size that just does not lend itself to bending over and tying your shoes? Why did it have to be marketed in that other way that then took away the messaging that this is a useful piece of equipment? REIN: Yeah. Like why is this fit model not able to tie their shoes? MICHELE: Exactly. Rather than take the angle that – again, they're all made up. Someone just happened to decide laces. We could have very easily decided this other way at the beginning. We could have very easily decided Velcro was the way. We just, I don't know, somewhere along the way, came up with laces. I think people in general have to go through their own journey of recognizing that what they were told was fact, truth, and stance just with someone's made up thing. Even these companies that we've just hold as pillars started in garages. They may have started in garages a 100 years ago, rather than just 50, or 20 years ago. But these things are just built. So we can build them differently. We can say them differently. It's okay. So taking away that stigma that things have to go a certain way and the way that they've been going, or at least perceived to have been going. We have got to start dismantling that. JOHN: Harking back here, a point earlier about the new shiny is always held up as always better. I read an article recently about prosthetic arms and how everyone's always really interested in building new robotic prosthetic arms. They're the new shiny, they're the cool thing to work on, and people feel good about working on them because they feel like they're helping people who need them. But that in a lot of cases, they're not better than the one that was designed 30 years ago that doesn't do a lot, but has at least a functional hook. They were following one woman through the article who had gotten one of these new ones, but it actually wasn't any better and she ended up switching back to the old one because she could get it to do the things that got her through the day and – [overtalk] REIN: Made with titanium. [laughter] JOHN: And you can clearly see that probably the people that are designing these probably weren't working with people bringing that feedback into the process enough and it was designed for rather than designed by. MICHELE: Absolutely. So Liz Jackson coined the phrase “Disability Dongle.” That's another one that comes up. The prosthetic, the exoskeleton, absolutely. The thing that non-disabled people look at and awe and look at what technology is doing, disabled people are over in the corner going, “That ain't going to help us.” [laughs] If you had asked, we would have told you we don't need that. I think we've also reached a point where we're at the harder stuff and no one's willing to tackle, I don't think always the harder stuff. So for instance, going back to blind navigation, one of the things that makes navigating difficult as a blind person—and I learned this because I talked and worked with like 80 blind people. [laughs] So one of the conclusions that came to with that infrastructure disables blind navigation, you don't need a smart – a lot of people espouse a smart cane. Well, they had this white cane, but it needs an infrared and it needs buzzers and it needs – okay, you're going to give people carpal tunnel. The battery on that is going to die. It's not going to be reliable. And in the meantime, the thing you could have done is educate people on putting stuff at head level. So the way that we design our street signs, for instance, we do everything very car minded. We do a lot of things for cars and we forget people also have to walk and so you put obstacles, or you can educate people about trimming your trees, for instance so people aren't running into them, or how they park their cars so that they're not in the way. Some of it is also just not a technology solution. It may be more an environmental and human education solution, but you can't tell people, who have signed up to work in technology, that they must find a technology solution. So they end up solutioning amongst themselves in ways that actually aren't helpful, but they make themselves, like you said, feel better and they promote within themselves. It's difficult to get people to undo that. JOHN: Yeah, it strikes me like you were talking about the wheelchairs that can go ramps, the exoskeletons, and there are certainly use cases for those sorts of things. But I think the distinction there is those are a solution to make the disabled people more abled rather than making the world more accessible. Like what they need is lower countertop so that in the wheelchair, they can still cook. That's what they need. Not the ability to walk upstairs, or have like you said, this awe-inspiring exoskeleton that just draws more attention to them and probably doesn't even solve most of the problems. MICHELE: I'm just going to say amen. [laughs] That is it. That is the thing we need people to get. So you'll hear about the models of disability, too. Sometimes you'll hear about – you should hear about the models of disability and when people extract that and summarize that, they usually pull out two, which is the medical model, which is generally what we've been under, which is the effects of disability and how that affects the person. Therefore, these things need to happen to overcome and this sort of again, hospital, kind of what the body's doing, or what the mind is doing mindset, which is opposite of one that people often quote, which is the social model. The social model says, “No, no society, the world, my environment is disabling me. If you would just give me something more adaptive, more inclusive, I'd be good.” So a lot of examples of that, I recently read a Kia Brown's book with a book club and you'll have to insert [chuckles] the link. The Pretty One is what it's called. Kia has cerebral palsy and one of the things that was a feat for her was putting her hair in a ponytail and it made you think about scrunchies and the makeup of that. What if we just made the mechanism to have maybe a little bit more to it to grab your hair and put it in the ponytail rather than relying on the fact that you have two hands that you can do that with? So those are the differences in the mindsets of our views of disability that we need people to shift and even go sometimes again, deeper into what it is you're really doing when it comes to inclusion. Are you really being inclusive, or are you saying, “Hey person, come on to what I believe is the way of life”? JOHN: So reflections, then. MICHELE: My reflection, or takeaway would be that my hope is that we can find room for everyone. Everyone who wants to create great tech, everyone who has an idea, everyone who has a contribution. I hope that that doesn't continue to need to filter through say, a non-disabled person, or a certain status of job title. My hope is that we're starting to recognize that there's room for everyone to provide their perspective and it can be valued and it can be included in the ways that we operate at equal opportunity. So that's hopefully, my reflection and my takeaway. JOHN: All right, I can go next. I think really actually the point that that's really sitting with me is what I had just said, which dawned on me as I was saying it, as we were talking in the last minute there about how the real solutions are, like you said, infrastructural. They're changing the form of society to make the disabled person able to do what they need to do rather than bringing them up to the level of whatever was currently built, or whatever that – and even there's a weird value judgment in saying, bringing them up to the level. I'm uncomfortable saying it that way. So just changing the thinking, like you said, the social model is, I think a powerful change and thought process around this, and I'm going to keep turning that one around in my head. REIN: I think for me, I'm coming back to the idea that just like security, accessibility has to be built in throughout the process of designing and building software. You can't have a part of your software delivery life cycle where that's the only place where you think about accessibility. You can't just think about it during design, for example, and you can't just have a team of accessibility experts that you go to sometimes when you need help with accessibility. It's really everyone's job and it's everyone's job all the time. MICHELE: I love it. I'm going to change the world. [laughs] Special Guest: Dr. Michele A. Williams.

Machine Learning appears to have made impressive progress on many tasks including image classification, machine translation, autonomous vehicle control, playing complex games including chess, Go, and Atari video games, and more. This has led to much breathless popular press coverage of Artificial Intelligence, and has elevated deep learning to an almost magical status in the eyes of the public. ML, especially of the deep learning sort, is not magic, however.  ML has become so popular that its application, though often poorly understood and partially motivated by hype, is exploding. In my view, this is not necessarily a good thing. I am concerned with the systematic risk invoked by adopting ML in a haphazard fashion. Our research at the Berryville Institute of Machine Learning (BIIML) is focused on understanding and categorizing security engineering risks introduced by ML at the design level.  Though the idea of addressing security risk in ML is not a new one, most previous work has focused on either particular attacks against running ML systems (a kind of dynamic analysis) or on operational security issues surrounding ML. This talk focuses on the results of an architectural risk analysis (sometimes called a threat model) of ML systems in general.  A list of the top five (of 78 known) ML security risks will be presented. About the speaker: Gary McGraw is co-founder of the Berryville Institute of Machine Learning. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series.  Dr. McGraw has also written over 100 peer-reviewed scientific publications. Gary serves on the Advisory Boards of Code DX, Maxmyinterest, Runsafe Security, and Secure Code Warrior.  He has also served as a Board member of Cigital and Codiscope (acquired by Synopsys) and as Advisor to Black Duck (acquired by Synopsys), Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). Gary produced the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine for thirteen years. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the Luddy School of Informatics, Computing, and Engineering.

Machine Learning appears to have made impressive progress on many tasks including image classification, machine translation, autonomous vehicle control, playing complex games including chess, Go, and Atari video games, and more. This has led to much breathless popular press coverage of Artificial Intelligence, and has elevated deep learning to an almost magical status in the eyes of the public. ML, especially of the deep learning sort, is not magic, however.  ML has become so popular that its application, though often poorly understood and partially motivated by hype, is exploding. In my view, this is not necessarily a good thing. I am concerned with the systematic risk invoked by adopting ML in a haphazard fashion. Our research at the Berryville Institute of Machine Learning (BIIML) is focused on understanding and categorizing security engineering risks introduced by ML at the design level.  Though the idea of addressing security risk in ML is not a new one, most previous work has focused on either particular attacks against running ML systems (a kind of dynamic analysis) or on operational security issues surrounding ML. This talk focuses on the results of an architectural risk analysis (sometimes called a threat model) of ML systems in general.  A list of the top five (of 78 known) ML security risks will be presented.

Prologue I'm honored to have Gary McGraw on with James and myself on this episode. I hadn't realized, but Gary retired from (what was formerly) Cigital - and by retired I mean "started something new". Gary sucks at retirement, but he's brilliant and has a lot to say about machine learning and its applications, so you should really listen in. No, "AI" isn't going to take over security - but it's work exploring the enormous contributions machine learning make to our lives and how they can be abused.   Guest Gary McGraw Twitter: https://twitter.com/noplasticshower Home: https://www.garymcgraw.com/  Boards he's on: https://www.garymcgraw.com/technology/business/  Info on Berryville Institute: https://berryvilleiml.com/  ARA for ML: https://berryvilleiml.com/results/ara.pdf 

For our 25th episode, our host and CEO, Joe Saunders, reflects on his lessons learned over the past 24 episodes. He focuses on 6 specific episodes: John Graham-Cumming, Greg Touhill, Tony Sager, Gary McGraw, Rick Howard, and Ron Ross. He shares his insight on how these episodes touch on three different kinds of lessons: personal development & leadership, business, and technical.

Today's Guest: Dr. Gary McGraw, Co-Founder of the Berryville Institute of Machine Learning. In this episode, Dr. Gary McGraw discusses co-founding the Berryville Institute of Machine Learning, the risk factors associated with machine learning, his background and early career work, the difficulties surrounding software security, and a fun story here and there. Dr. McGraw is an advisor to RunSafe Security.

On today’s episode of Coach and Coordinator, host Keith Grabowski welcomes Gary McGraw to the podcast. Mcgraw wears multiple hats at Sam Houston State including, Cornersback’s Coach, Special Teams Coordinator, Defensive Pass Game Coordinator and Defensive Recruiting Coordinator. Coach joins the podcast to talk about how he handles different defensive back techniques as well as how he maneuvers all his different coaching roles. Show Notes: 2:04 When McGraw decided he wanted to become a football coach 3:14 Obstacles he faced along his coaches journey 4:56 What McGraw did to hone his skills and how it helped him move up the coaching ranks 6:54 How Coach gets his position group and unit to buy in 9:06 How McGraw teaches press technique 11:57 Adjusting if the WR steps back and reading him 14:01 Technique for defending the back corner fade 16:44 How Coach Handles all his different job titles 20:44 What he looks at as the defensive pass game coordinator 25:35 What kinds of RPO’s coach has seen and how he defends them 28:12 How Coach defends against coaches trying to get him out of specific looks 31:05 Keys to not getting picked or rubbed on routes 32:37 Key Coaching points for teaching his players to tackle 35:24 Key situations he puts his players in during practice 37:09 Winning Edge

Semi-retired software security expert Gary McGraw joins Dennis Fisher to talk about the root causes of supply chain breaches and his new work on machine learning security.

The Covid-19 pandemic has seen six amalgamations between dealerships from April 1 to September 30, as well as the sale of 19 dealerships and the closure of 38 dealerships among the members of the National Automobile Dealers’ Association (NADA), the association’s national director Gary McGraw tells Engineering News Online. According to statistics from the Motor Industry Bargaining Council (Mibco), 16 183 jobs were lost in the total South African auto retail aftermarket from March 1 to September 30 – not just dealerships, he adds. “Unfortunately, we are excepting more given that many businesses are still finalising consultations as per labour law requirements, so this number is due to increase.” McGraw says dealerships that intervened early on to protect cash flow and right-size operations are the ones that have been able to weather the storm. “Successful dealerships realised early that if new vehicle sales were low they needed to market their used vehicle, workshop and parts departments more actively to ensure greater contributions from those departments to the bottom line. “Many dealers were also able to negotiate revised terms of credit with their financial institutions, landlords, suppliers, and so forth, thereby controlling and protecting cash flow within the business.” Survival of the Fittest The South African retail motor industry is coming to grips with the new normal after a demanding and difficult trading period through the heavy stages of lockdown, says NADA chairperson Mark Dommisse. Most dealerships have right-sized their operations and tightened financial controls over the past six months to counter the downturn in vehicle sales, service appointments and parts sales. Dommisse says that if a dealer is not at least breaking even at this stage, heading into the last quarter of the year, then its management must act quickly to do so. “It really is survival of the fittest at the moment. Businesses need to adapt and evolve in the changing climate in order to survive. “It’s really tough out there and we can’t bob and weave our way out of trouble at this stage. We must face the challenges head on,” he advises. “Even if dealers are making some profit, this is not the time to rest on laurels. There is still worrying economic news on the horizon, including a shrinking car parc with relatively few sales to rental companies and a lagging wave of unemployment in the middle class, which makes up an important component of our customer base. “Hopefully, operating in Level 1 of the lockdown, some of the retrenchment flow will be stemmed.”

Welcome to the Software Security Gurus webcast with Matias Madou. In this inaugural episode, Matias interviews Dr. Gary McGraw, one of the godfathers of software security and founder of the Berryville Institute of Machine Learning. They discuss the history, present, and future of software security, as well as how these principles may apply to the new frontier of machine learning and AI. For more information, please visit www.softwaresecuritygurus.com. --- Send in a voice message: https://anchor.fm/softwaresecuritygurus/message

Security is an emergent property of good system design and engineering and it's no different with AI. Except it's totally different. In this episode we talk with Dr. Gary McGraw, a key voice in the software security world who has turned his focus to ML security. We discuss his recent publication in which he identifies a taxonomy of 78 particular risks to ML. Follow his work through his organization, the Berryville Institute of Machine Learning and access the paper here. --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app --- Send in a voice message: https://anchor.fm/wewonder/message

Hvordan attraherer man damer inn i teknologi, og med hva? Og hvilken beskyttelse har egentlig forbruker når det kommer til sikkerhetskrav på alle de nye "dingsene"? I denne episoden av #LØRN snakker Silvija med managing Director Business Consulting i Sopra Steria Lillian Røstad, om viktigheten av å ta sikkerhet på større alvor under utviklingen av ny teknologi.— Jeg tror det handler om rollemodellen, å vise frem at man kan og at det er helt vanlig å være dame innen teknologi. Også tror jeg at man drives av å se samfunnsnytten og nytteverdien av teknologi, forteller hun i episoden.Dette lørner du: Sikkerhet og personvern Sikkerhetskrav på innovasjoner Kunnskapsrike brukere Livslanglæring Anbefalt litteratur: Geekonomics – The Real Cost of Insecure SoftwareBloggen Krebs on Security av Brian Krebs.Foredrag fra Gary McGraw.OWASP Top 10 See acast.com/privacy for privacy and opt-out information.

Dr. Gary McGraw, renowned American Computer Scientist and Vice President of Security Technology at Synopsys talks about his efforts around the Building Security in Maturity Model (BSIMM) project conducted over years of software security drama with over 109 of the world's leading companies across various different sectors and he explains why Security at the design phase of software is so vitally important. Dr. McGraw also talks about his new study with numerous CISO's around the country to evaluate how information security is approached from a financial, compliance, technology, and business enabler perspective in their respective organizations. Host George Rettas also provides his analysis on the new Office of Inspector General (OIG) Report that states that The Office of the Interior is in disarray when it comes to their Cyber Security Posture almost 3 years after the OPM breach.

We were in the studio with Brandy Boies, Director of Marketing and Outreach for Lord Fairfax Community College and her guest, Melissa Stange, Professor of Computer Science to talk about their Computer Science programs and their Tech Bytes talk series. Tech Bytes is a FREE monthly technology talk program open to the public. The program is coordinated and sponsored by the Computer Science program through a grant and in partnership with the Lord Fairfax Community College student technology organization CS2 Playground and the IEEE NoVA Section Education Society. Upcoming talks include: January 22, 2020, 6:00pm - Gary McGraw, Berryville Institute of Machine Learning February 19, 2020, 6:00pm - Kay Connelly, Infomatics, Indiana University, Bloomington March 11, 2020, 1:00pm - Richard Danzig, Retired Secretary of the Navy April 8 2020, 6:00pm - Heather Wilson, Analytics, L Brands Talks are scheduled for one hour with Q&A. Please register one day prior. Click here to register.

Gary McGraw is the Vice President of Security Technology at Synopsys, the best-selling author of "Software Security" and 11 other books, and the man behind the Silver Bullet Security Podcast. In this episode, Ben Wilde interviews him about everything from the BSIMM and OWASP Top 10 to software security best practices and how to get companies to start thinking about security early and often. https://www.garymcgraw.com/ https://www.bsimm.com/ https://cybersecurity.ieee.org/center-for-secure-design/ https://www.maxmyinterest.com/

Recently "retired" software security legend Gary McGraw joins us for an unfiltered conversation with Jack at his farmhouse in rural Virginia.  Gary's walks us through the history of software security with his characteristic sharp humor and insights, sparing no "poser or pretender" along the path to today (including the term "app sec" itself). Beyond his impressive career in security, any conversation with Gary uncovers his diverse interests from his life as a musician to his travels, from reading fiction to writing books. Jack's interview of Gary is no exception-- it paints a portrait as colorful as the man himself. This is the 4th and final episode in our app sec (er.... software) security series.

Software security expert Gary McGraw discusses the recently released Building Security In Maturity Model report. BSIMM 9 includes contributors from 120 enterprises worldwide, and is used a measurement tool to evaluate software security practices and identify trends in the practice. Gary also comments on the current state of supply chain security, how companies should be working with vendors on the transparency of software security provided by third parties. 

La Edición N° 5, tuvo como invitado especial al famoso Gary McGraw, experto en seguridad de software, autor de 12 libros, entre ellos varios de los más conocidos como: Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games. Actualmente se desempeña como Vice President Security Technology, en Synopsys. Hablamos sobre el Reporte de CISOs y las 4 tribus que pudo identificar entre los CISOs y empresas encuestadas. Con la idea exponer sobre el uso de Redes Sociales y la importancia de las Marcas Personales, Mariana Quesada, especialista en el asunto y en Marketing de Atracción, nos contó sobre qué una marca personal, la importancia de tener una, cómo crearla de forma correcta, diferentes herramientas y formas de generar contenido de valor.. Equipo presente: Maximiliano Soler @MaxiSoler Emiliano Piscitelli @emilianox

Dr. Gary McGraw, renowned American Computer Scientist and Vice President of Security Technology at Synopsys talks about his efforts around the Building Security in Maturity Model (BSIMM) project conducted over years of software security drama with over 109 of the world's leading companies across various different sectors and he explains why Security at the design phase of software is so vitally important. Dr. McGraw also talks about his new study with numerous CISO's around the country to evaluate how information security is approached from a financial, compliance, technology, and business enabler perspective in their respective organizations. Host George Rettas also provides his analysis on the new Office of Inspector General (OIG) Report that states that The Office of the Interior is in disarray when it comes to their Cyber Security Posture almost 3 years after the OPM breach.

Flashpoint Editorial Director Mike Mimoso talks to Gary McGraw, vice president of security technology at Synopsys and one of the pioneers of software security. Mike and Gary discuss Synopsys' recent CISO Report, which identifies four approaches to the chief information security officer role in the enterprise. The report provides security executives with data culled from interviews with CISOs at 25 large companies, identifying key characteristics and discriminators, and providing some insight on career development and progression. Gary and Mike also discuss how quickly information security has become a mainstream topic and part of the fabric of every day life.  Download the CISO Report Follow this podcast and more content from Flashpoint analysts.   

Dr. Gary McGraw is the Vice President of Security Technology at SearchSecurity (http://www.techtarget.com/contributor/Gary-McGraw) , is frequently quoted in the press, and regularly speaks at major cyber security conferences. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Max Financial, NTrepid, and Ravenwhite. He has also served as Advisor to Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). Gary holds a dual PhD in Cognitive Science and Computer Science from Indiana University where he serves on the Silver Bullet Security Podcast (https://www.garymcgraw.com/technology/silver-bullet-podcast/) for IEEE Security & Privacy Magazine (syndicated by SearchSecurity). Gary is also a self described "alpha geek" and a pioneer in the field of computer security. However, Gary also is a big proponent of life out side of tech. He lives on a farmhouse in Virginia, collects art, plays several musical instruments, an experienced cook, and shares a hobby of mine, craft cocktails. I am truly honored to have him on the show. In this episode we discuss giving back to your community (https://www.garymcgraw.com/life/philanthropy/) , and much more. I hope you enjoy this discussion. Please leave your comments below! Where you can find Gary: GaryMcgraw.com (https://www.garymcgraw.com) Twitter (https://twitter.com/cigitalgem) Cigital Blog (https://www.cigital.com/blog/author/gem/) Books: Software Security (https://www.amazon.com/gp/product/0321356705/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=0321356705&linkCode=as2&tag=cybersecur030-20&linkId=417ecc37df732e8ad6383b6c4ec155ae) Exploiting Software (https://www.amazon.com/gp/search/ref=as_li_qf_sp_sr_tl?ie=UTF8&tag=cybersecur030-20&keywords=0201786958&index=aps&camp=1789&creative=9325&linkCode=ur2&linkId=224bfb88103109010acfd8b5cd660acc) Building Secure Software (https://www.amazon.com/gp/product/0321774957/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=0321774957&linkCode=as2&tag=cybersecur030-20&linkId=3df2b736994d4194703778d4bcfa64ea) Java Security (https://www.amazon.com/Java-Security-Gary-McGraw/dp/047117842X/ref=as_sl_pc_qf_sp_asin_til?tag=cybersecur030-20&linkCode=w00&linkId=500e0538eb5e7eb3a8c32a0c6464deaa&creativeASIN=047117842X) Exploiting Online Games (https://www.amazon.com/Exploiting-Online-Games-Massively-Distributed/dp/0132271915/ref=as_sl_pc_qf_sp_asin_til?tag=cybersecur030-20&linkCode=w00&linkId=2b3efa27084aed29604adbe958d64c41&creativeASIN=0132271915) Amazon author page for Gary (http://amzn.to/2ljjgaJ) The Liberal Cocktail 1 1⁄2 oz Rye 1⁄2 oz Sweet vermouth 1⁄4 oz Amer Picon (Note: (https://cybersecurityinterviews.com/contact/) for substitution reccomendations) 1 ds Orange bitters Instructions: Stir, strain, straight up, cocktail glass

As part of our ongoing discussion about the #SDLC and getting security baked in as far left as possible, Joe Gray, host of the  Advanced Persistant Security #Podcast (find it at https://advancedpersistentsecurity.net/), Mr. Boettcher, and I sat down with Dr. Gary McGraw, author of "Software Security: Building Security In" to discuss his book. We are also doing this book as part of the Brakeing Security Book Club (check out our #Slack channel for more information). Gary walks us through the 7 Kingdoms of getting more security in, including doing automated and manual code audits, proper penetration testing of the application at various stages (testing), documentation (if you don't know it works, how can you test it?), and your Security Operations people, monitoring for things once it goes into production.  Also, find out what Chapter he thinks you should skip altogether... the answer may surprise you... :) Join Mr. Gray, Mr. Boettcher, and I for a discussion with a true leader in the software and application security industry. Buy the book on Amazon: https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705 Check out Gary's Website at https://www.garymcgraw.com/, and check out Gary's own podcast the Silver Bullet Security Podcast at https://www.garymcgraw.com/technology/silver-bullet-podcast/ Gary's twitter is @cigitalgem Joe Gray's twitter is @C_3PJoe Special deal for our #BrakeSec Listeners: "If you have an interesting security talk and fancy visiting Amsterdam in the spring, then submit your talk to the Hack In The Box Amsterdam conference, which will take place between 10 to 14 April 2017. The Call For Papers (#CFP) is open until the end of December, submission details can be found at https://cfp.hackinthebox.org/. Tickets are already on sale, with early bird prices until December 31st. And the 'brakeingsecurity' discount code gets you a 10% discount". Brakeing Down Security thanks Sebastian Paul Avarvarei and all the organizers of Hack In The Box (#HITB) for this opportunity! Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-048-Gary_McGraw_Securing_Your_SDLC_and_guest_host_Joe_Gray.mp3 iTunes:  https://itunes.apple.com/us/podcast/2016-048-dr.-gary-mcgraw-building/id799131292?i=1000378548363&mt=2 YouTube: https://www.youtube.com/watch?v=x65yL5_Hpi4 Join our Slack Channel! Sign up at https://brakesec.signup.team #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback, or Suggestions?  Contact us via Email: bds.podcast@gmail.com #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Brakeing Down the Advanced Persistent Security Podcast Holiday Special and Book CLub Kickoff Make sure you’re wearing your ugly Christmas Sweater and have a glass of eggnog when you enjoy ...

Help families Affected by the Smoky Mountain Wildfires If you’re a regular reader, you’ll know that I am not one to ask for help or money. I am not asking ...

Just a quick episode this week... As part of the Brakesec Book Club (join us on our #Slack Channel for more information!) we are discussing Dr. Gary McGraw's book "Software Security: Building Security In" (Amazon Link: https://is.gd/QtHQcM) We talk about the need to inserting security into your company's #SDLC... but what exactly can be done to enable that? I talk about abuse cases, #risk #analysis, creating test cases, pentesting, and #security #operations are all methods to do so. Finally, I discovered a blog talking about ways to discover configuration errors on Linux systems that might allow #privilege #escalation to occur. Using these tools as part of your hardening processes could lower the risk of a bad actor gaining elevated privileges on your *unix hosts http://rajhackingarticles.blogspot.com/2016/11/4-ways-to-get-linux-privilege-escalation.html You can find the github of this script and the audit software that I mentioned below: https://github.com/rebootuser/LinEnum.git     #Lynis (from CISOfy: https://cisofy.com/lynis/   Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-047-inserting_security_into_the_SDLC_finding_Linux_priv_esc.mp3   #iTunes: https://itunes.apple.com/us/podcast/2016-047-inserting-security/id799131292?i=1000378329598&mt=2   #YouTube:  https://www.youtube.com/watch?v=Kd_ZzvVNqoA   #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582  

This week, Mr. Boettcher found himself with an interesting conundrum concerning what happened when he converted a Windows DOCX file to a PDF using a popular #PDF converter software. We discuss what happened, how Software Restriction Policy in Windows kept him safe from a potential malware infection, and about the logging that occurred. After that, we discuss some recent vulnerabilities, like the BlackNurse Resource Exhaustion vulnerability and how you can protect your infrastructure from a DDoS that can occur from someone sending your firewall 300 packets a second... which anyone can do. We discuss Robert Graham's recent run-in with a new surveillance camera and how it was pwned in less time than you think. And learn about the 'buenoware' that has been released that 'patches' IoT and embedded devices... But does it do more harm than good, and is it legal? All that and more this week on Brakeing Down Security Podcast!  Check out our official #Slack Channel! Sign up at https://brakesec.signup.team Next Book Club session is 29 November 2016. Our current book for study is 'Software Security: Building Security In' by Dr. Gary McGraw  https://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705  (ebook is available of Safari books online)   BlackNurse https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/ http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/ http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack   Recent tweet from @boettcherpwned about infected docx with macros and we discuss why Foxit PDF runs the macros and open_document: https://twitter.com/boettcherpwned/status/799726266693713920 Brakesec Podcast about Software Restriction Policy and Application Whitelisting on Windows: http://traffic.libsyn.com/brakeingsecurity/2016-018-software_restriction_policy-applocker.mp3 Rob Graham @errataBob: new camera pwned by #Mirai botnet and others within 5 minutes: https://twitter.com/newsyc200/status/799761390915424261   #BlackNurse https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/ http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/ http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack ICMP Type 3, Code 3 (Destination Port unreachable)  http://www.faqs.org/rfcs/rfc792.html #SHA1 deprecated on website certs by Chrome on 1 January 2017 http://www.darkreading.com/operations/as-deadline-looms-35-percent-of-web-sites-still-rely-on-sha-1/d/d-id/1327522 #Benevolent #malware (buenoware) https://isc.sans.edu/diary/Benevolent+malware%3F+reincarnaLinux.Wifatch/21703 #Atombombing http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions https://breakingmalware.com/injection-techniques/atombombing-cfg-protected-processes/ http://www.pandasecurity.com/mediacenter/malware/atombombing-windows-cybersecurity/   Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-046-Black_Nurse_buenoware_IoT_pwnage.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-046-blacknurse-buenoware/id799131292?i=1000378076060&mt=2 Youtube: https://www.youtube.com/watch?v=w-FEJuWGXaQ   #RSS: http://www.brakeingsecurity.com/rss #Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

The Building Security In Maturity Model (BSIMM) is the result of a multi-year study of real-world software security initiatives. It is built directly from data observed in 78 software security initiatives from firms in nine market sectors. The best way to use the BSIMM is to compare and contrast your own initiative with the data about what other organizations are doing as described in the model. You can then identify goals and objectives and refer to the BSIMM to determine which additional activities make sense for you.The BSIMM data show that high maturity initiatives are well-rounded—carrying out numerous activities in all 12 of the practices described by the model. The model also describes how mature software security initiatives evolve, change, and improve over time.In this podcast, Gary McGraw, the Chief Technology Officer for Cigital, discusses the latest version of BSIMM and how to take advantage of observed practices from high-performing organizations. Listen on Apple Podcasts.

Gary McGraw (@cigitalgem), CTO of the security giant Cigital, chats with us about how web developers, and software engineers in general, can best secure applications we are building today. We dive into best practices, team collaboration techniques, where to go for further information, and what companies like Cigital are doing for the web security community. Resources Cigital- http://www.cigital.com/ The Silver Bullet Podcast - http://www.cigital.com/silver-bullet/ Web Application Security Consortium - http://www.webappsec.org/ Software Security - Building Security In - http://www.amazon.com/Software-Security-Building-In/dp/0321356705 NodeGoat - http://nodegoat.herokuapp.com/login RailsGoat - http://railsgoat.cktricky.com/ Gary's books - http://www.cigital.com/~gem/books/ Charlie Miller Interview - http://www.cigital.com/silver-bullet/show-095/ OWASP - https://www.owasp.org/ Panelists Adi Chikara - ATG Lead at3Pillar Global Christian Smith - Open Source developer & Startup Enthusiast Chetan Karande - Senior Software Engineer at Omgeo   Erik Isaksen - UX Engineer at3Pillar Global Rob Simpson - Senior Front End Developer atCapco Nick Niemeir - JavaScript Agent Engineer at New Relic

Gary McGraw is an author of many books and over a 100 peer-reviewed publications on IT security. In addition, Gary McGraw serves on the Dean’s Advisory Council for the School of Informatics of Indiana University, and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT). Gary is the Chief Technical Officer at Cigital Inc. In addition, he serves on the advisory boards of several companies, including Dasient, Fortify Software, Invincea, and Raven White. He holds dual PhD in Cognitive Science and Computer Science from Indiana University. In the past, Gary McGraw has served on the IEEE Computer Society Board of Governors.

Gary McGraw is an author of many books and over a 100 peer-reviewed publications on IT security. In addition, Gary McGraw serves on the Dean’s Advisory Council for the School of Informatics of Indiana University, and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT). Gary is the Chief Technical Officer at Cigital Inc. In addition, he serves on the advisory boards of several companies, including Dasient, Fortify Software, Invincea, and Raven White. He holds dual PhD in Cognitive Science and Computer Science from Indiana University. In the past, Gary McGraw has served on the IEEE Computer Society Board of Governors.

Ill-informed lawmakers and policymakers, rather than true experts, are addressing issues of cybersecurity and are focused on the wrong issues. This was the message presented April 26, 2012 by Gary McGraw, Chief Technology Officer of Cigital, Inc. and a leading authority on software security. The talk was co-sponsored by ISTS and the War and Peace Studies Program of the Dickey Center for International Understanding.

As a discipline, software security has made great progress over the last decade. There are now at least 46 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework as our guide. Those companies among the nine who graciously agreed to be identified include: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model (BSIMM). This talk will describe the observation-based maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Since its March release, the BSIMM is being expanded to include BSIMM Europe, BSIMM II, and BSIMM Lite. Use the BSIMM as a yardstick to determine where you stand and what kind of software security plan will work best for you. About the speaker: company: http://www.cigital.compodcast: http://www.cigital.com/silverbulletpodcast: http://www.cigital.com/realitycheckblog: http://www.cigital.com/justiceleaguebook: http://www.swsec.compersonal: http://www.cigital.com/~gemGary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Java Security, Building Secure Software, Exploiting Software, Software Security, and Exploiting Online Games; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean¹s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors, produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT), and produces the Reality Check Security Podcast for CSO Online.

As a discipline, software security has made great progress over the last decade. There are now at least 46 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework as our guide. Those companies among the nine who graciously agreed to be identified include: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model (BSIMM). This talk will describe the observation-based maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Since its March release, the BSIMM is being expanded to include BSIMM Europe, BSIMM II, and BSIMM Lite. Use the BSIMM as a yardstick to determine where you stand and what kind of software security plan will work best for you.

This episode features an interview with the software security expert Gary McGraw. Gary explains why this topic is so important and gives several security deficiencies examples that he found in the past. The second half of the interview is about his latest book 'Exploiting Online Games' where he explains how online games are hacked and why this is relevant to everybody, not only gamers in their 'First Life'.

This episode features an interview with the software security expert Gary McGraw. Gary explains why this topic is so important and gives several security deficiencies examples that he found in the past. The second half of the interview is about his latest book 'Exploiting Online Games' where he explains how online games are hacked and why this is relevant to everybody, not only gamers in their 'First Life'.

This episode features an interview with the software security expert Gary McGraw. Gary explains why this topic is so important and gives several security deficiencies examples that he found in the past. The second half of the interview is about his latest book 'Exploiting Online Games' where he explains how online games are hacked and why this is relevant to everybody, not only gamers in their 'First Life'.

Guest: Gary McGraw Host: Michael Kircher Software security is an issue that everyone faces but that not everyone gets right. Sometimes, our languages programming claim to provide us a level of security that they cannot deliver. Fortunately, folks like Gary McGraw, the CTO of Cigital, have studied software, language technology, and security. McGraw defines software security as "how to approach computer security if you are a software developer or architect". In his experience, the best way to build secure software is to have the people who build our systems think carefully about security while they are building them. Security is part of both the system's architecture and its implementation. At ooPSLA, McGraw -- a globally-recognized authority on software security and the author of six best selling books on this topic -- is teaching a tutorial called Software Security: Building Security In that will present a detailed approach to getting past theory and putting software security into practice. The tutorial will give a lesson in applied risk management and then present a number of software security best practices. Listen to this podcast to hear Michael Kircher of SE Radio chat with Gary about software security, patterns of attack on software, and some of the most timely issues in security as applied to on-line games.

Guest: Gary McGraw Host: Michael Kircher Software security is an issue that everyone faces but that not everyone gets right. Sometimes, our languages programming claim to provide us a level of security that they cannot deliver. Fortunately, folks like Gary McGraw, the CTO of Cigital, have studied software, language technology, and security. McGraw defines software security as "how to approach computer security if you are a software developer or architect". In his experience, the best way to build secure software is to have the people who build our systems think carefully about security while they are building them. Security is part of both the system's architecture and its implementation. At ooPSLA, McGraw -- a globally-recognized authority on software security and the author of six best selling books on this topic -- is teaching a tutorial called Software Security: Building Security In that will present a detailed approach to getting past theory and putting software security into practice. The tutorial will give a lesson in applied risk management and then present a number of software security best practices. Listen to this podcast to hear Michael Kircher of SE Radio chat with Gary about software security, patterns of attack on software, and some of the most timely issues in security as applied to on-line games.

Computer security takes on more importance as commerce becomes e-commerce and business embraces the Net. However, little progress has been made in the security field, especially when vendor technology is considered. Popular press coverage of computer security orbits around basic technology issues such as what firewalls are, when to use the DES encryption algorithm, which anti-virus product is best, or how the latest email-based attack works. The problem is, many security practitioners don't know what the problem is. It's the software! Internet-enabled software applications, especially custom applications, present the most common security risk encountered today, and are the target of choice for real hackers. This talk is all about software security risk and how to manage it. The trick is to begin early, know your threats (including language-based flaws and pitfalls), design for security, and subject your design to thorough objective risk analyses and testing. This talk covers material that software practitioners, including architects and languages researchers, can use to avoid security problems and produce more secure Internet-based code. About the speaker: Gary McGraw is the Vice President of Corporate Technology at Cigital (formerly Reliable Software Technologies) where he pursues research in software security while leading the Software Security Group. He holds a dual PhD in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from UVa. He has written over sixty peer-reviewed technical publications, consults with major e-commerce vendors including Visa, Ericsson, and the Federal Reserve, and has served as principal investigator on grants from Air Force Research Labs, DARPA, National Science Foundation, and NIST's Advanced Technology Program. Dr. McGraw serves on the Boards of Counterpane, Finjan, NetCertainty, and ChainMail, Inc. He also chairs the National Infosec Research Council's Malicious Code Infosec Science and Technology Study Group. Dr. McGraw is a noted authority on mobile code security and co-authored both Java Security (Wiley, 1996) and Securing Java (Wiley, 1999) with Prof. Ed Felten of Princeton. Dr. McGraw also co-authored Software Fault Injection (Wiley 1998) with Jeff Voas. Dr. McGraw is currently writing a book entitled Building Secure Software (Addison-Wesley, 2001). He regularly contributes to popular trade publications and is often quoted in national press articles.

Computer security takes on more importance as commerce becomes e-commerce and business embraces the Net. However, little progress has been made in the security field, especially when vendor technology is considered. Popular press coverage of computer security orbits around basic technology issues such as what firewalls are, when to use the DES encryption algorithm, which anti-virus product is best, or how the latest email-based attack works. The problem is, many security practitioners don't know what the problem is. It's the software! Internet-enabled software applications, especially custom applications, present the most common security risk encountered today, and are the target of choice for real hackers. This talk is all about software security risk and how to manage it. The trick is to begin early, know your threats (including language-based flaws and pitfalls), design for security, and subject your design to thorough objective risk analyses and testing. This talk covers material that software practitioners, including architects and languages researchers, can use to avoid security problems and produce more secure Internet-based code.