Dr. Gary McGraw
Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area.
He is a globally recognized authority on software security and the author of six best selling books on this topic. The latest, Exploiting Online Games: Cheating Massively Distributed Systems was released in 2007. His other titles include Securing Java: Getting Down to Business with Mobile Code, Building Secure Software: How to Avoid Security Problems the Right Way, Exploiting Software: How to Break Code, and Software Security: Building Security In; and he is editor of the Addison-Wesley Software Security series.
Dr. McGraw has also written over 90 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press.
Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White.
His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary is an IEEE Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine.
Software Security Touchpoint: Architectural Risk Analysis
In my book Software Security, I introduce seven essential best practices for software security. The most important two touchpoints in terms of effectiveness are code review with a static analysis tool and architectural risk analysis. This talk explains how to ferret out architecture and design flaws in your software system. Beginning with the development of a forest level view of your code, a simple three-step process can be used to find both well understood flaws (seen all the time in software) and absolutely new flaws (never seen before). I will provide examples of several architectural flaws and describe how they were discovered and what we did about them. If you believe that software security is all about SQL injection and cross-site scripting, attend this talk and find out why there's more to it than code.