The Silver Bullet Security Podcast

The 32nd episode of The Silver Bullet Security Podcast features founder and Chief Technology Officer of WhiteHat Security, Jeremiah Grossman. Gary and Jeremiah discuss clickjacking, cross-site request forgery, why 50% of web problems can’t be discovered reliably automatically, and which conferences Jeremiah most enjoyed on his 2008 world tour.

• Jeremiah Grossman
• Clickjacking
• Adobe 0-day Browser Exploit
• Cross-Site Request Forgeries: Exploitation and Prevention [PDF]
• Web Spoofing: An Internet Con Game by Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach.
• Web application scan-o-meter
• The “Wall of Fame”

 

 Show 032 - An Interview with Jeremiah Grossman [29:20m]: Play Now | Play in Popup | Download

On the 31st episode of The Silver Bullet Security Podcast, Gary talks with Matt Bishop, professor of Computer Science at UC Davis and author of the book Computer Security: Art and Science as well as many peer-reviewed papers. Gary and Matt discuss Matt’s plan to work security analysis and secure coding into a wider computer science cirriculum, Matt’s early work with Mike Dilger on TOCTOU, whether or not progress is being made in the field of software security, and the role of training in large-scale software security initiatives. Their chat closes with a mention of Matt’s home menagerie (which does not include any one-legged chickens at this time).

• Matt Bishop
• IEEE Security & Privacy Magazine
• Computer Security: Art and Science
• Silver Bullet Security Podcast interview with Dorothy Denning
• Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security (the “Ware Report” referred to in the podcast)
• Secure Computer Systems: Mathematical Foundations - The Bell Lapadula model [PDF]
• Secure Computer System: Unified Exposition and Multics Interpretation [PDF]
• Testing C Programs for Buffer Overflow Vulnerabilities - Eric Haugh, Matt Bishop [PDF]
• TOCTOU
• Checking for Race Conditions in File Accesses by Matt Bishop and Michael Dilger
• “The Song of the One Legged Chicken”

 

 Show 031 - An Interview with Matt Bishop [24:24m]: Play Now | Play in Popup | Download

On the 30th episode of The Silver Bullet Security Podcast, Gary talks with Ken van Wyk, principal and founder of KRvW Associates. Ken was the first employee of CERT and has been an active member of FIRST. Ken and Gary discuss why the discipline of computer science doesn’t learn from failure like mechanical engineering does, how we’re making steps backwards in computer security, whether focusing on web applications is a good or bad thing for software security, and Ken’s recommendation for moderately-priced red wines.

• Ken’s personal page
• KRvW Associates
• CERT
• FIRST
• Secure Coding
• Incident Response
• SC-L mailing list
• From the foreword to Secure Programming with Static Analysis - blog entry with photo of Tacoma Narrows Bridge
• TJX’s stock increase since the January 2007 security breach
• The Addison-Wesley Software Security Series
• Barbera D’Asti wines

 

 Show 030 - An Interview with Ken van Wyk [21:48m]: Play Now | Play in Popup | Download

On the 29th episode of The Silver Bullet Security Podcast, Gary talks with Dennis Fisher, executive editor of The Security Media Group at TechTarget. Dennis helps run SearchSecurity.com and Information Security Magazine. Gary and Dennis discuss the current “BS factor” in security journalism, shopping at TJ Maxx right after the TJX privacy breach, the state of software security, and which is harder: being a fry cook at Hardees or working as a PR flack.

• Dennis’ blog
• TJX
• Joe Walsh plays dirty laundry
• Software Security Grows
• Dennis’ un-named podcast
• Series of Tubes
• Hardees
• Nike/iPod

 

 Show 029 - An Interview with Dennis Fisher [23:50m]: Play Now | Play in Popup | Download

On the 28th episode of The Silver Bullet Security Podcast, Gary interviews Bill Cheswick, a lead member of technical staff at AT&T Research and all around security guru. Bill has been working in computer security for over 35 years. He coined the term “proxy” in 1990 with reference to firewalls, and co-authored the book Firewalls and Internet Security which was used to train an entire generation of sys admins. Gary and Bill discuss whether we’re winning or losing the computer security war, how security threats have evolved from pimply-faced teenagers to organized crime, whether we should move security into “the cloud,” and whether re-naming “Christmas lights” to “solstice lights” would bypass NJ holiday decoration ordinances.

• Transcript of this episode [PDF]
• Bill Cheswick
• AT&T Research
• Lumeta
• FWIS
• “The Design of a Secure Internet Gateway” (Usenix 1990, coining of “proxy”)
• The Apache web server
• Turtles all the Way Down
• Ed Amoroso’s Silver Bullet Podcast (use blink test to compare)
• Solstice Lights

 

 Show 028 - An Interview with Bill Cheswick [23:59m]: Play Now | Play in Popup | Download

On the 27th episode of The Silver Bullet Security Podcast, Gary interviews software security expert Gunnar Peterson, a Managing Principal at Arctec Group. Gary and Gunnar begin with the age-old question, “What is security?” They go on to discuss how Web 2.0 and SOA security is progressing, the big idea behind “federated identity,” whether all market verticals can follow the software security lead of the financial services industry, and the inherent badness of the color purple.

• Build Security In column from IEEE S&P
• Gunnar’s Blog
• informIT (Securing Web 3.0)
• Metricon 3.0
• Butler Lampson on Security
• Federated Identity
• Ping Identity
• Gerald Weinberg
• Verizon Business Security: Patching Conundrum

 

 Show 027 - An Interview with Gunnar Peterson [27:56m]: Play Now | Play in Popup | Download

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon.

(Beginning with this episode, Silver Bullet will be available as a 192k MP3.)

• Transcript of this episode [PDF]
• Emergent Chaos blog
• The New School of Information Security
• Microsoft’s SDL
• Cigital’s Touchpoints
• IEEE Security & Privacy magazine
• Wassily Kandinsky
• The CardSystems breach (2005)
• Thomas Pynchon

 

 Show 026 - An Interview with Adam Shostack [30:12m]: Play Now | Play in Popup | Download

Jon Swartz, USA Today’s award-winning technology reporter and Pulitzer Prize nominee, is Gary’s guest on the 25th episode of The Silver Bullet Security Podcast. They discuss Jon’s new book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity and the research that went into writing it. Gary and Jon also cover how cybercrime is driven by capitalist principals, why the general public’s attitude is so lax about software security, and how, even though it’s hard to get an accurate count of identity theft instances, they tend to show a sharp upward trend. Jon ends the episode by disclosing his secret dream career.

(Apologies for the below-average sound quality on this episode.)

• Transcript of this episode [PDF]
• Zero Day Threat
• Jon’s USA Today articles
• Three recent articles:
• Microsoft still seen with a win
• Online crime’s impact spreads
• AOL, News Corp. join battle over Yahoo
• The New Face of Cybercrime trailer

 

 Show 025 - An Interview with Jon Swartz [27:49m]: Play Now | Play in Popup | Download

Oracle Chief Security Officer Mary Ann Davidson is the guest on the 24th episode of The Silver Bullet Security Podcast. Gary and Mary Ann discuss how an MBA helps in the CSO role, Oracle’s “Unbreakable” campaign, why everyone needs training in secure coding, and how military history informs computer security. They also talk about how a young CSO-to-be got her first library card.

• Mary Ann Davidson’s blog
• Unbreakable Linux
• Lone Survivor

 

 Show 024 - An Interview with Mary Ann Davidson [28:45m]: Play Now | Play in Popup | Download

On the 23rd episode of The Silver Bullet Security Podcast, Gary talks with Chris Wysopal, founder and CTO of Veracode and author of The Art of Software Security Testing. Chris was one of the seven original members of the L0pht hacker collective (operating under the hacker handle Weld Pond) and later went on to work for @stake. Gary and Chris reminisce about L0pht (and the warehouse full of stuff) and discuss the role of security researchers now versus in the mid-late ’90s. They also talk about the current state of the software security market and its continued growth.

• Chris’ Wikipedia entry
• The Art of Software Security Testing
• Veracode
• Zero in a bit - Veracode’s blog
• L0pht Heavy Industries
• Vulnwatch
• SOURCE: Boston 2008

 

 Show 023 - An Interview with Chris Wysopal [24:48m]: Play Now | Play in Popup | Download