OWASP interviews McGraw (oh my)

[gem at cigital.com (Gary McGraw)]

hi sc-l,

OWASP just posted an interview with me as part of their budding podcast series.  It's nice to have the tables turned 
after doing all the Silver Bullet (and Reality Check) interviews!  It's also nice to be able to answer some of the 
questions that OWASP types have about Cigital's approach to software security.

Download the podcast here: https://www.owasp.org/index.php/Podcast_5

The OWASP interviewer is Jim Manico, and he did a great job.  He was a little worried about some of the questions he 
asked.  In fact, off the record he kept saying he was sorry and telling me that I did not have to address certain 
questions.  Personally, I enjoyed the questions he asked immensely.  Though some of his questions were loaded, I do 
hope that my answers may serve to clarify our position and eliminate OWASP concerns.

Here are a few of the many more questions I address in the podcast:

 *   Why do you insist on use of the term "software security" as opposed to "application security"?
 *   What is static analysis good for and what is it no good for?
 *   What is the exact relationship between Cigital and Fortify?
 *   Why do you think your "top 19" is any better than the OWASP top 10 or the CWE top 25?  (Special note, the 19 Sins 
work is Mike Howard's and John Viega's...I was not involved.)
 *   Why does Cigital have a proprietary approach to IP?
 *   What makes the Touchpoints any better than the SDL or CLASP?
 *   What is your relationship with Allan Paller and SANS?
 *   Who picked the "porn music" theme for Silver Bullet?

As an extra bonus, the theme music for this episode is a song written and recorded by my band Where's Aubrey.

Anyway, enjoy the podcast, and let me know what you think about my answers!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
podcast www.cigital.com/realitycheck
blog www.cigital.com/justiceleague
book www.swsec.com