Cigital CTO, author, and S&P editorial board member Gary McGraw in conversation with prominent security experts.

S&P will publish excerpts of the in-depth 20-minute interviews in article format. Check back regularly for additional podcasts.

On the 37th episode of The Silver Bullet Security Podcast, Gary interviews Virgil Gligor, Professor at Carnegie Mellon University in the Department of Electrical and Computer Engineering and co-director of CyLab. Gary and Virgil discuss how information security has changed in the last 35 years, why software security will be with us forever, and how Virgil's childhood in Romania has shaped his views on security.

• Virgil Gilgore at Carnegie Mellon
• CyLab
• Foreign Intelligence Surveillance Act
• Towards a Theory of Penetration-Resistant Systems and its Applications

On this special third anniversary episode of Silver Bullet, Gary is the victim, being interviewed by James McGovern, Enterprise Architect for The Hartford Financial Services Group and OWASP maven. Gary and James discuss the recently released Building Security In Maturity Model, how companies with Software Security Groups retain their best and brightest, Microsoft's trustworthy computing initiative/SDL program, and what less expensive tools small organizations with only a few developers can use.

• Gary McGraw's site
• Building Security In Maturity Model (BSIMM)
• Software Security: Building Security In
• Enterprise Architecture: From Incite comes Insight? - James McGovern's blog

On the 35th episode of The Silver Bullet Security Podcast, Gary talks with Daniel Suarez, independent consultant and author of Daemon, a new techno-thriller about a gamer that reaches from beyond the grave to declare war on all of humanity. They talk about the use of MMORPGs and flash mobs for nefarious means in the form of a distributed emergent attack, the current state of AI, and the follow-up to Daemon, Freedom.

• Daemon
• Al-Qaeda in Second Life
• Bot-Mediated Reality at the Long Now Foundation
• Daniel on Last call with Carson Daly

Gary interviews Bill Brenner, senior editor at CSO Online and CSO Magazine. They discuss how delivering the security message changes based on the audience (executives versus geeks and CSOs versus CIOs), the much-exaggerated death of print media, and balancing headline-grabbing sensationalism with solid security business coverage.

• Bill Brenner at CSO Online
• Security Wire Weekly
• Security Insights Podcast

On the 33rd episode of The Silver Bullet Security Podcast, Gary talks with Laurie Williams, Associate Professor of Computer Science at North Carolina State University. Gary and Laurie discuss Laurie's nine years at IBM, Agile's adoption in the commercial space, XP and software security, and what changes Laurie would make to the standard computer science curriculum to better prepare students.

• Laurie Williams
• Empirical Software Engineering
• Is Complexity Really the Enemy of Software Security? [pdf]
• Protection Poker tutorial

The 32nd episode of The Silver Bullet Security Podcast features founder and Chief Technology Officer of WhiteHat Security, Jeremiah Grossman. Gary and Jeremiah discuss clickjacking, cross-site request forgery, why 50 percent of Web problems can't be automatically discovered reliably, and which conferences Jeremiah most enjoyed on his 2008 world tour.

• Jeremiah Grossman
• clickjacking
• Cross-Site Request Forgeries: Exploitation and Prevention [pdf]
• Web Spoofing: An Internet Con Game by Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach

On the 31st episode of The Silver Bullet Security Podcast, Gary talks with Matt Bishop, professor of Computer Science at UC Davis and author of the book Computer Security: Art and Science. Gary and Matt discuss Matt's plan to work security analysis and secure coding into a wider computer science cirriculum, Matt's early work with Mike Dilger on TOCTOU, whether or not progress is being made in the field of software security, and the role of tr21aining in large-scale software security initiatives.

• Matt Bishop
• TOCTOU
• Testing C Programs for Buffer Overflow Vulnerabilities – Eric Haugh, Matt Bishop [pdf]
• Checking for Race Conditions in File Accesses by Matt Bishop and Michael Dilger

On the 30th episode of The Silver Bullet Security Podcast, Gary talks with Ken van Wyk, principal and founder of KRvW Associates. Ken was the first employee of CERT and has been an active member of FIRST. Ken and Gary discuss why the discipline of computer science doesn't learn from failure like mechanical engineering does, how we're making steps backwards in computer security, and whether focusing on Web applications is a good or bad thing for software security.

• KRvW Associates
• Secure Coding
• The Addison-Wesley Software Security Series
• FIRST

On the 29th episode of The Silver Bullet Security Podcast, Gary talks with Dennis Fisher, executive editor of The Security Media Group at TechTarget. Dennis helps run SearchSecurity.com and Information Security Magazine. Gary and Dennis discuss security journalism, shopping at TJ Maxx right after the TJX privacy breach, the state of software security, and which is harder: being a fry cook at Hardees or working as a PR flack.

• TJ Maxx data breach
• Dennis' blog
• Nike + and privacy

Gary interviews Bill Cheswick, a lead member of technical staff at AT&T Research and all-around security guru. Bill has been working in computer security for over 35 years. He coined the term "proxy" in 1990 with reference to firewalls, and coauthored the book, Firewalls and Internet Security, which was used to train an entire generation of sys admins. Gary and Bill discuss whether we're winning or losing the computer security war, how security threats have evolved from pimply-faced teenagers to organized crime, and whether we should move security into "the cloud."

• Bill Cheswick
• "The Design of a Secure Internet Gateway" (Usenix 1990, coining of "proxy")
• Lumeta
• FWIS
• AT&T Research

On the 27th episode of The Silver Bullet Security Podcast, Gary interviews software security expert Gunnar Peterson, a Managing Principal at Arctec Group. Gary and Gunnar begin with the age-old question, "What is security?" They go on to discuss how Web 2.0 and SOA security is progressing, the big idea behind "federated identity," and whether all market verticals can follow the software security lead of the financial services industry.

• Gunnar's Blog
• informIT (Securing Web 3.0)
• Build Security In column from IEEE S&P
• Metricon 3.0
• Federated Identity

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft's Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam's current work, and the main ideas behind Adam's new book The New School of Information Security. They also chat about Adam's aversion to the term "best practices," the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI.

• Emergent Chaos blog
• The New School of Information Security
• Microsoft's SDL
• Cigital's Touchpoints
• The CardSystems breach (2005)

Jon Swartz, USA Today's award-winning technology reporter and Pulitzer Prize nominee, is Gary's guest. They discuss Jon's new book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity. Gary and Jon also cover how cybercrime is driven by capitalist principals and why the general public's attitude is so lax about software security.

• Zero Day Threat
• Jon's USA Today articles
• The New Face of Cybercrime trailer

Oracle Chief Security Officer Mary Ann Davidson is the guest on the 24th episode of The Silver Bullet Security Podcast. Gary and Mary Ann discuss how an MBA helps in the CSO role, Oracle’s “Unbreakable” campaign, why everyone needs training in secure coding, and how military history informs computer security.

• Mary Ann Davidson’s blog
• Unbreakable Linux
• Lone Survivor

Gary talks with Chris Wysopal, founder and CTO of Veracode and author of The Art of Software Security Testing. Chris was one of the seven original members of the L0pht hacker collective (operating under the hacker handle Weld Pond) and later went on to work for @stake. Gary and Chris discuss the role of security researchers now versus in the mid-to-late 90s. They also talk about the current state of the software security market and its continued growth.

• The Art of Software Security Testing
• Veracode
• L0pht Heavy Industries
• SOURCE: Boston 2008

On the 22nd episode, Gary interviews Ed Amoroso, Chief Information Security Officer of AT&T. They discuss how Peter Neumann influenced Ed, the difference between bugs and flaws, whether bugs are getting too much attention, and the propensity for confusion around how security actually works.

• Cyber Security
• Fundamentals of Computer Security Technology
• AT&T's Tech Channel
• Silver Bullet Interview with Peter Neumann

Gary hosts a panel discussion with Cigital's principals. Participants include Sammy Migues (Director of Training and Knowledge Management), John Steven (Principal Consultant), and Pravir Chandra (Principal Consultant). The group discusses several topics, including the best ways for large companies to get started with software security and how much of the security testing burden should fall on QA.

• Justice League Blog
• Threat modeling
• OWASP

On the landmark 20th episode of The Silver Bullet Security Podcast, Gary interviews Markus Jakobsson, associate professor of informatics and associate director of the Center for Applied Cybersecurity Research at Indiana University. They discuss the difference between academic and corporate research, the idea of "perfect privacy," and how cartoons can be used to teach security.

• RavenWhite
• Crimeware
• Phishing and Countermeasures
• Using Cartoons to Teach Internet Security

On the 19th episode of The Silver Bullet Security Podcast, Gary interviews Mikko Hyppönen, Chief Research Officer at F-Secure. Gary and Mikko discuss whether mobile viruses are all hype or a legitimate threat, if the iPhone as a closed system is good or bad for security, and Mikko’s prediction for the appearance of the first mobile botnet.

• F-Secure
• Mobile Malware – Mikko's Usenix 2007 talk, both in audio and video
• Mikko Hyppönen

The 18th episode of The Silver Bullet Security Podcast features Eugene Spafford, better known as “Spaf.” Spaf is the executive director of the Center for Education and Research in Information Assurance and Security (CERIAS). Gary and Spaf discuss the role of software testing in computer security, whether commercial certifications obviate the need for academic training, “ethical hacking,” and why auditing and compliance is an area of emerging specialization.

• Spaf’s blog at CERIAS
• CERIAS – Center for Education and Research in Information Assurance and Security
• Mothra – Mutation testing
• PITAC – President’s Information Technology Advisory Committee
• What did you really expect? – Spaf’s post on “reformed hackers”

Gary chats with Eric Cole, CEO of Secure Anchor. Eric has written seven computer security books on topics such as steganography and network security. Gary and Eric discuss how to demonstrate security ROI in different types of organizations, the academic approach to security versus practitioner certification models, and what types of training makes for good network security practitioners.

• Secure Anchor
• Security Haven
• Stego-marking packets to control information leakage on TCP/IP based networks – Eric’s dissertation

The 16th episode of The Silver Bullet Security Podcast features Greg Hoglund, who runs the popular rootkit.com Web site, is CEO of HB Gary, and the coauthor of Rootkits: Subverting the Windows Kernel and Exploiting Software. Gary and Greg discuss the natural tendency of certain types of code to allow exploits, how disclosure is a good thing when it comes to revealing exploits, and the use of rootkits by the "good guys."

• rootkit.com
• Hacking World of Warcraft: An Exercise in Advanced Rootkit Design – Greg's 2006 Black Hat presentation. (.rar, 2.3M) 
• Exploiting Online Games
• AWL Software Security Series

On the 15th episode of The Silver Bullet Security Podcast, Gary interviews Annie Antón, associate professor of Software Engineering at North Carolina State University and director of theprivacyplace.org. Annie and Gary focus on privacy, starting with an attempt to define what “privacy” is in the digital world, airline privacy policies, the impact that a Google/Doubleclick deal would have on consumer privacy, and EULAs.

• The Privacy Place
• The ChoicePoint Data Security Breach 
• Annie I. Antón

The 14th episode of The Silver Bullet Security Podcast features Peter Neumann, designer of the Multics OS file system, moderator of comp.RISKS, and principal scientist at the SRI Computer Science Laboratory. Gary and Peter discuss the most important changes in computer security since the 1960s, the discipline involved in early Multics engineering, and why DRM is the “wrong solution to the wrong problem.”

• Peter Neumann
• A General-Purpose File System for Secondary Storage – Peter's paper on Multics. 
• Computer-Related Risks – Peter's book.
• Multics History Project

Gary chats with Ross Anderson, professor of security engineering at the Computer Laboratory at Cambridge University and author of Security Engineering. Gary and Ross discuss the simple reasons why most systems fail, the economic imbalance between engineers/developers and a system’s users (with respect to who should address security), and why publicly describing attacks is essential to security engineering.

• Ross Anderson – Ross' Web site with links to his research papers.
• Light Blue Touchpaper – A security blog by Cambridge computer scientists.
• Security Engineering – Ross’ groundbreaking book in print and online.
• RFID and the Middleman [PDF]

In the latest edition of The Silver Bullet Security Podcast, Gary chats with Becky Bace about her 12 years at the US National Security Agency, where she worked on intrusion detection and cryptography. They also talk about the evolution of security curricula in academia, the rampant commercialization of computer security, and Becky's involvement in tracking down the notorious Kevin Mitnick.

• Trident Capital – The VC firm where Becky is an advisor.
• Intrusion Detection – Becky's book on intrusion detection.
• A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness – Coauthored with Fred Smith.
• Executive Women's Forum

On the 11th episode of The Silver Bullet Security Podcast, Gary talks with Dorothy Denning, a professor in the Department of Defense Analysis at the Naval Postgraduate School. Gary and Dorothy discuss Dorothy's involvement in the Clipper Chip controversy (which earned her the moniker, "clipper chick"), geo-encryption, and a famous 1990 paper she wrote describing a series of interviews with malicious hackers.

• Wikipedia: Dorothy Denning
• Clipper Chick – a 1996 Wired article about the Clipper Chip controversy.
• The Future of Cryptography
• Location-Based Authentication: Grounding Cyberspace for Better Security – A 1996 paper by Dorothy Denning and Peter F. MacDoran about geo-encryption.
• Concerning Hackers Who Break into Computer Systems - Dorothy's 1990 paper on hackers.

The tenth episode of The Silver Bullet Security Podcast features a panel discussion with the Fortify Software Technical Advisory Board, several of whom have been featured on previous episodes. The group discusses what commercial software tools can learn from academic research, software security in China, real-world lessons learned while using static analysis tools, and software security pedagogy.

Participating members of the Technical Advisory Board include:

• Bill Pugh, Professor at University of Maryland, static analysis for finding bugs
• Li Gong, GM at Microsoft, MSN in China
• Marcus Ranum, CSO of Tenable Network Security, security products trainer
• Avi Rubin, Professor at Johns Hopkins, electronic voting security
• Fred Schneider, Professor at Cornell, trustworthy computing
• Greg Morrisett, Professor at Harvard, dependant type theory
• Matt Bishop, Professor at UC Davis, computer security
• Dave Wagner, Professor at Berkeley, software security and electronic voting

Gary interviews Bruce Schneier, founder and CTO of Counterpane. Gary and Bruce discuss the connection between physical security and its technological component, the idea of risk management, the intersection of economics and security, and the ideas of "wholesale surveillance" and "security theater."

• Counterpane
• Property Rights Management – Ed Felten's discussion of PRM
• Copyright Mythbusters: Believe It or Not, Fair Use Exists – a look at the "fair use doesn't exist" argument

In the eighth episode, Gary chats with Brian Chess, cofounder and chief scientist of Fortify Software. Gary and Brian discuss what commercial developers and academics have to learn from each other, what it's like to work for a Kleiner-Perkins start-up, and how mystifying it is that some developers are fine with XSS vulnerabilities in their Web applications.

• Fortify Software
• Kleiner Perkins Caufield & Byers
• DIMACS Workshop on Software Security with Brian Kernighan

Gary interviews Cisco Chief Security Officer John Stewart about what CSOs do all day, how John got started in computer security, and the infamous Morris worm from 1988 (which John was deeply involved in while a student at Syracuse). John also revisits Cisco-gate and talks about how his identity was stolen.

• Executive Perspective: John Stewart on Vulnerability Disclosure
• Digital Island
• The What, Why, and How of the 1988 Internet Worm – a look at the history of the Morris Worm
• Five Ways to Fight ID Theft – John's own experience as a victim of identity theft

In the sixth episode, Gary chats with Michael Howard, senior security program manager of Microsoft's Security Technology Unit. Michael discusses what it's been like watching the company come to grips with software security. Gary and Michael also discuss the security features of Windows Vista and Michael's recommendations for the two most important best practices when developing secure software.

• Michael Howard's blog
• Writing Secure Code by Michael Howard
• Microsoft's Trustworthy Computing Security Development Lifecycle
• Matt Bishop's computer security books

The fifth edition features Ed Felten, professor of computer science and public affairs at Princeton University. Gary and Ed take a look at Ed's predictions for 2006 and how he's faring so far. They also discuss the difficulty of addressing technology issues with lawmakers and the importance of public policy and the law to computer scientists.

• Freedom to Tinker
• Ed's 2006 predictions
• Center for Information Technology Policy

In the fourth episode, Gary talks to Dana Epp, CEO and founder of Scorpion Software. Dana also runs a popular software security blog. On this show, Dana and Gary talk about past programming disasters, the security implications of systems with ever-increasing complexity, suggestions for new developers interested in learning about software security, and regulation’s role in information security.

• RemoteAccess Bulletin Board System
• The 5 Rules of Regulatory Process
• SC-L List

This time out, Gary chats with Marcus Ranum, who is widely credited with inventing the proxy firewall. They discuss Richard Feynman, power tools for home repair and improvement, why Marcus thinks we’re not making progress in the computer security field, and how common sense would help computer security.

• Marcus Ranum
  • BlackHat Keynote '98 (MP3)
  • The Six Dumbest Ideas in Computer Security
• Patch Tuesday
• Richard Feynman

In this episode of the Silver Bullet Security Podcast, Gary chats with Dan Geer, chief scientist at Verdasys. They discuss the need to understand both technology and business in order to be a good security practitioner, Dan's take on monoculture, his "Cyber Insecurity" paper, and work on Project Athena.

• Dan Geer on Wikipedia
• Cyber Insecurity: The Cost of Monopoly
• Project Athena on Wikipedia
• How Much Information 2003

In this first interview of the series, Gary McGraw speaks with Avi Rubin, professor of computer science at Johns Hopkins University and director of the US National Science Foundation-funded ACCURATE Center (A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections), about the state of e-voting and how he got started breaking into things.

• AviRubin.com
• Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting (Rubin’s forthcoming book)
• Partial transcript of the interview