OWASP interviews McGraw (oh my)

[James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))]

 Some questions that I would have asked:

1. The trend towards offshoring software development is increasing. When
do you think customers will be able to have confidence in the ability of
outsourcing vendors to develop secure software without it being
considered a "special" service?

2. Do you think industry analysts and the media at large are doing a
good enough job of helping raise awareness? What do you think magazines
such as InformationWeek, CIO and Forbes should be doing that they
aren't?

3. While you are an employee of Cigital, what other security firms do
you think offer high quality consulting services in this space?

4. Many organizations no longer budget for "developer" tools. Do you
think that static analysis will fail economically if funding for
development has shifted away from developer activities?

5. What are the gaps that OWASP and other security-oriented communities
aren't yet thinking about?

6. Name some examples of Fortune enterprises whom you think are thinking
about software security correctly?

7. Microsoft is the industry whipping boy and if we acknowledge that
customers may not want them to be more secure as core changes may break
backward compatibility, is software security always doomed to
mediocrity?

8. To become a competent software security professional, what do you
think the ideal career path looks like?

9. What bloggers do you think can bring insight into understanding
secure coding practices?

10. Any opinions on whether Sun, EMC, Oracle and CA are making adequate
progress towards software security being built into their products?

-----Original Message-----
From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org] On Behalf Of Gary McGraw
Sent: Monday, January 26, 2009 12:59 PM
To: Secure Code Mailing List
Subject: [SC-L] OWASP interviews McGraw (oh my)

hi sc-l,

OWASP just posted an interview with me as part of their budding podcast
series.  It's nice to have the tables turned after doing all the Silver
Bullet (and Reality Check) interviews!  It's also nice to be able to
answer some of the questions that OWASP types have about Cigital's
approach to software security.

Download the podcast here: https://www.owasp.org/index.php/Podcast_5

The OWASP interviewer is Jim Manico, and he did a great job.  He was a
little worried about some of the questions he asked.  In fact, off the
record he kept saying he was sorry and telling me that I did not have to
address certain questions.  Personally, I enjoyed the questions he asked
immensely.  Though some of his questions were loaded, I do hope that my
answers may serve to clarify our position and eliminate OWASP concerns.

Here are a few of the many more questions I address in the podcast:

 *   Why do you insist on use of the term "software security" as opposed
to "application security"?
 *   What is static analysis good for and what is it no good for?
 *   What is the exact relationship between Cigital and Fortify?
 *   Why do you think your "top 19" is any better than the OWASP top 10
or the CWE top 25?  (Special note, the 19 Sins work is Mike Howard's and
John Viega's...I was not involved.)
 *   Why does Cigital have a proprietary approach to IP?
 *   What makes the Touchpoints any better than the SDL or CLASP?
 *   What is your relationship with Allan Paller and SANS?
 *   Who picked the "porn music" theme for Silver Bullet?

As an extra bonus, the theme music for this episode is a song written
and recorded by my band Where's Aubrey.

Anyway, enjoy the podcast, and let me know what you think about my
answers!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
podcast www.cigital.com/realitycheck
blog www.cigital.com/justiceleague
book www.swsec.com

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org List
information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com) as a free, non-commercial service to the software
security community.
_______________________________________________
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, 
confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, 
dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender 
immediately by return e-mail, delete this communication and destroy all copies.
************************************************************