Software Security: Building Security In

Gary McGraw, Cigital

Software security has come a long way, but we've really only just begun. I will present a coherent and detailed approach to getting past theory and putting software security into practice. By describing a manageably small set of touchpoints based around the software artifacts produced by every software development process, I avoid religious warfare over process and get on with the business of software security. That means you can adopt the touchpoints without radically changing the way you build software. The touchpoints I will describe include:

  • Code review using static analysis tools
  • Architectural risk analysis and threat modeling
  • Penetration testing
  • Security testing
  • Abuse case development
  • Security requirements
  • Like the yin and the yang, software security requires a careful balance -- attack and defense, exploiting and designing, breaking and building -- inextricably mixed in a coherent package. Through a unification of proactive design and careful exploit-driven testing built on a foundation of risk management, you can properly address software-induced security risk. The touchpoints can and should be taught in every software course (even those courses that are presumably not about security). Come find out what they should be teaching you.


    Gary McGraw, Cigital, Inc.'s CTO, researches software security and sets technical vision in the area of Software Quality Management. Dr. McGraw is co-author of five best selling books: Exploiting Software (Addison-Wesley, 2004), Building Secure Software (Addison-Wesley, 2001), Software Fault Injection (Wiley 1998), Securing Java (Wiley, 1999), and Java Security (Wiley, 1996). His new book Software Security: Building Security In (Addison-Wesley 2006) was released in February 2006. A world authority on software security, Dr. McGraw consults with major software producers and consumers. Dr. McGraw has written over seventy-five peer-reviewed technical publications and functions as principal investigator on grants from Air Force Research Labs, DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on Advisory Boards of Authentica, Counterpane, and Fortify Software, as well as advising the CS Department at UC Davis, the CS Department at UVa, and the School of Informatics at Indiana University. Dr. McGraw holds a dual PhD in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from UVa. He is a member of the IEEE Security and Privacy Task Force, and was recently elected to the IEEE Computer Society Board of Governors. He writes a monthly security column for IT Architect magazine, is the editor of Building Security In for IEEE Security & Privacy magazine, and is often quoted in the press.

    16 March (Thursday) at 1630 hrs

    Gates 4B (opposite 490)