"Security defects come in two flavors; bugs in the implementation and flaws in the design. We're paying quite a bit of attention to bugs and not enough attention fo flaws." -- Gary McGraw

Gary McGraw thinks in broad strokes. In our "50 in 50" discussion, he goes beyond our talk of component based vulnerabilities and leads the discussion to the problems inherent with the building of complex applications. From there, we talk about his latest initiatives; architectural risk analysis and how to measure your software initiatives.

"What happens when you compose things that were secure, but then you compose them in a way that the designers did not anticipate. It leads to a crazy kind of security flaw." -- Gary McGraw

Highlights from our discussion
00:20 How do you integrate software security into DevOps
01:30 The concept of "moving left" in the application development cycle
02:55 Defining software security practices that are usefeul no matter what the software dev life cycle
05:37 Security at the component level
07:15 Three levels of insecurity; creation of components, components in production, combining of components in an insecure way
08:31 Software security for specific verticals
11:36 Consumer assumption of software security
13:03 Architectural risk analysis and threat modeling
13:52 Measuring your software initiative

Resources
Cigital
BSIMM

About Gary McGraw
I am a technologist, a scientist, a musician, a writer, and a father. I work at Cigital near the blue ridge mountains in Dulles, VA. I live on the Shennandoah river about a mile from the Appalachain Trail in a house built in 1760. Berryville, VA is the closest town, but we're much closer to the Holy Cross Abbey. I am married to Amy Barley. Together, we raise our two boys Jack and Eli.