The Silver Bullet Security Podcast

On the 29th episode of The Silver Bullet Security Podcast, Gary talks with Dennis Fisher, executive editor of The Security Media Group at TechTarget. Dennis helps run SearchSecurity.com and Information Security Magazine. Gary and Dennis discuss the current “BS factor” in security journalism, shopping at TJ Maxx right after the TJX privacy breach, the state of software security, and which is harder: being a fry cook at Hardees or working as a PR flack.

• Dennis’ blog
• TJX
• Joe Walsh plays dirty laundry
• Software Security Grows
• Dennis’ un-named podcast
• Series of Tubes
• Hardees
• Nike/iPod

 

 Show 029 - An Interview with Dennis Fisher [23:50m]: Play Now | Play in Popup | Download

On the 28th episode of The Silver Bullet Security Podcast, Gary interviews Bill Cheswick, a lead member of technical staff at AT&T Research and all around security guru. Bill has been working in computer security for over 35 years. He coined the term “proxy” in 1990 with reference to firewalls, and co-authored the book Firewalls and Internet Security which was used to train an entire generation of sys admins. Gary and Bill discuss whether we’re winning or losing the computer security war, how security threats have evolved from pimply-faced teenagers to organized crime, whether we should move security into “the cloud,” and whether re-naming “Christmas lights” to “solstice lights” would bypass NJ holiday decoration ordinances.

• Bill Cheswick
• AT&T Research
• Lumeta
• FWIS
• “The Design of a Secure Internet Gateway” (Usenix 1990, coining of “proxy”)
• The Apache web server
• Turtles all the Way Down
• Ed Amoroso’s Silver Bullet Podcast (use blink test to compare)
• Solstice Lights

 

 Show 028 - An Interview with Bill Cheswick [23:59m]: Play Now | Play in Popup | Download

On the 27th episode of The Silver Bullet Security Podcast, Gary interviews software security expert Gunnar Peterson, a Managing Principal at Arctec Group. Gary and Gunnar begin with the age-old question, “What is security?” They go on to discuss how Web 2.0 and SOA security is progressing, the big idea behind “federated identity,” whether all market verticals can follow the software security lead of the financial services industry, and the inherent badness of the color purple.

• Build Security In column from IEEE S&P
• Gunnar’s Blog
• informIT (Securing Web 3.0)
• Metricon 3.0
• Butler Lampson on Security
• Federated Identity
• Ping Identity
• Gerald Weinberg
• Verizon Business Security: Patching Conundrum

 

 Show 027 - An Interview with Gunnar Peterson [27:56m]: Play Now | Play in Popup | Download

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon.

(Beginning with this episode, Silver Bullet will be available as a 192k MP3.)

• Transcript of this episode
• Emergent Chaos blog
• The New School of Information Security
• Microsoft’s SDL
• Cigital’s Touchpoints
• IEEE Security & Privacy magazine
• Wassily Kandinsky
• The CardSystems breach (2005)
• Thomas Pynchon

 

 Show 026 - An Interview with Adam Shostack [30:12m]: Play Now | Play in Popup | Download

Jon Swartz, USA Today’s award-winning technology reporter and Pulitzer Prize nominee, is Gary’s guest on the 25th episode of The Silver Bullet Security Podcast. They discuss Jon’s new book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity and the research that went into writing it. Gary and Jon also cover how cybercrime is driven by capitalist principals, why the general public’s attitude is so lax about software security, and how, even though it’s hard to get an accurate count of identity theft instances, they tend to show a sharp upward trend. Jon ends the episode by disclosing his secret dream career.

(Apologies for the below-average sound quality on this episode.)

• Transcript of this episode [PDF]
• Zero Day Threat
• Jon’s USA Today articles
• Three recent articles:
• Microsoft still seen with a win
• Online crime’s impact spreads
• AOL, News Corp. join battle over Yahoo
• The New Face of Cybercrime trailer

 

 Show 025 - An Interview with Jon Swartz [27:49m]: Play Now | Play in Popup | Download

Oracle Chief Security Officer Mary Ann Davidson is the guest on the 24th episode of The Silver Bullet Security Podcast. Gary and Mary Ann discuss how an MBA helps in the CSO role, Oracle’s “Unbreakable” campaign, why everyone needs training in secure coding, and how military history informs computer security. They also talk about how a young CSO-to-be got her first library card.

• Mary Ann Davidson’s blog
• Unbreakable Linux
• Lone Survivor

 

 Show 024 - An Interview with Mary Ann Davidson [28:45m]: Play Now | Play in Popup | Download

On the 23rd episode of The Silver Bullet Security Podcast, Gary talks with Chris Wysopal, founder and CTO of Veracode and author of The Art of Software Security Testing. Chris was one of the seven original members of the L0pht hacker collective (operating under the hacker handle Weld Pond) and later went on to work for @stake. Gary and Chris reminisce about L0pht (and the warehouse full of stuff) and discuss the role of security researchers now versus in the mid-late ’90s. They also talk about the current state of the software security market and its continued growth.

• Chris’ Wikipedia entry
• The Art of Software Security Testing
• Veracode
• Zero in a bit - Veracode’s blog
• L0pht Heavy Industries
• Vulnwatch
• SOURCE: Boston 2008

 

 Show 023 - An Interview with Chris Wysopal [24:48m]: Play Now | Play in Popup | Download

On the 22nd episode of The Silver Bullet Security Podcast, Gary interviews Ed Amoroso, Chief Information Security Officer of AT&T. They discuss how Peter Neumann influenced Ed, the difference between bugs and flaws and whether bugs are getting too much attention, the propensity for confusion around how security actually works, privacy, security, and monitoring, and software correctness/quality vs software security. They also discuss the Hugh Thompson show now airing on AT&T’s Tech Channel.

• Transcript of this episode [PDF]
• Cyber Security
• Fundamentals of Computer Security Technology
• Silver Bullet Interview with Peter Neumann
• AT&T’s Tech Channel
• Gary on The Hugh Thompson Show

 

 Show 022 - An Interview with Ed Amoroso [32:25m]: Play Now | Play in Popup | Download

For the 21st episode of The Silver Bullet Security Podcast, Gary hosts a panel discussion with Cigital’s principals. Participants include Sammy Migues (Director of Training and Knowledge Management), John Steven (Principal Consultant) and Pravir Chandra (Principal Consultant). The group discusses the best ways for large companies to get started with software security and the similarities between CLASP, Microsoft’s SDL, and the Security Touchpoints. They also ponder how much the security testing burden should fall on QA and whether developing expertise in architectural risk analysis or threat modeling is more helpful. John Steven also discusses the hole in his dining room, which threat modeling would not have helped to prevent.

• Transcript of this episode [PDF]
• Justice League blog
• Threat Modeling - a blog entry by John Steven
• OWASP Top 10 for 2007
• OWASP
• The Shmoo Group

 

 Show 021 - A Panel Discussion with Cigital's Principals [23:35m]: Play Now | Play in Popup | Download

Get the Flash Player to see this player.