Resources

Key Software Security Concepts

Seven Touchpoints for Software Security

Lightweight software security best practices called touchpoints are applied to various software artifacts. By referring only to software artifacts, we can avoid battles over any particular process. See an illustration and more information.

Three Pillars of Software Security

The three pillars of software security are risk management, software security touchpoints, and knowledge. See an illustration and more information.

Seven Pernicious Kingdoms

The seven pernicious kingdoms taxonomy of common software security bugs is introduced in chapter 12. Many examples of specific bugs, along with code samples can be found at vulncat.fortifysoftware.com.

Subscribe for $29!

informIT article series

• What Works in Software Security (February 26, 2010)
• Cargo Cult Computer Security (January 28, 2010)
• You Really Need a Software Security Group (December 21, 2009)
• BSIMM Europe (November 10, 2009)
• Startup Lessons (October 22, 2009)
• BSIMM Begin (September 24, 2009)
• Attack Categories and History Prediction (August 25, 2009)
• Moving U.S. Cybersecurity Beyond Cyberplatitudes (July 16, 2009)
• Measuring Software Security (June 18, 2009)
• Twitter Security (May 15, 2009)
• Software Security Comes of Age (April 16, 2009)
• The Building Security In Maturity Model (BSIMM) (March 16, 2009)
• Nine Things Everybody Does: Software Security Activities from the BSIMM (February 9, 2009)
• Top 11 Reasons Why Top 10 (or Top 25) Lists Don't Work (January 13, 2009)
• Software Security Top 10 Surprises (December 15, 2008)
• Web Applications and Software Security (November 14, 2008)
• A Software Security Framework: Working Towards a Realistic Maturity Model (October 15, 2008)
• Getting Past the Bug Parade (September 17, 2008)
• Software Security Demand Rising (August 11, 2008)
• Application Assessment as a Factory (July 17, 2008)
• DMCA Rent-a-cops Accept Fake IDs (June 12, 2008)
• Securing Web 3.0 (May 15, 2008)
• Paying for Secure Software (April 7, 2008)

Other

• Lifestyle Hackers, CSO Online (November 2, 2009).
• Securing Online Games: Safeguarding the Future of Software Security, IEEE Security & Privacy (May/June 2009).
• How Things Work: Automated Code Review Tools for Security, Computer (December 2008).
• Online Games and Security, IEEE Security & Privacy (October/September 2007)

Build Security In article series

These articles were all originally published in IEEE Security & Privacy. For more of Gary's publications, see our full listing of his available published articles.

• Software Security and SOA: Danger, Will Robinson! (January/February 2006)
• Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors (November/December 2005)
• Bridging the Gap Between Software Development and Information Security (September/October 2005)
• A Portal for Software Security (July/August 2005)
• Adopting a Software Security Improvement Program (May/June 2005)
• Knowledge for Software Security (March/April 2005)
• Software Penetration Testing (January/February 2005)
• Static Analysis for Security (November/December 2004)
• Software Security Testing (September/October 2004)
• Risk Analysis in Software Design (July/August 2004)
• Misuse and Abuse Cases: Getting Past the Positive (May/June 2004)
• Software Security (March/April 2004)

Dark Reading article series

• The Truth Behind Code Analysis (February 13, 2008)
• Software Security Strategies (January 9, 2008)
• Beyond the PCI Band-Aid (December 10, 2007)
• Online Games & the Law (October 11, 2007)
• Mobile Insecurity (September 14, 2007)
• The Ultimate Insider (August 14, 2007)
• Consolidate This (July 12, 2007)
• JSON, Ajax & Web 2.0 (June 7, 2007)
• Certifiable (May 9, 2007)
• Want Turns to Need (April 20, 2007)
• Compliance As Kick-Starter (March 12, 2007)
• Security's Symbiosis (February 27, 2007)
• Hurray for Hollywood!? (January 12, 2007)
• Foxy Vista Henhouse (December 11, 2006)
• Boarding-Pass Brouhaha (November 2, 2006)
• Diebold Disses Democracy (October 9, 2006)
• Keep Your Laws Off My Security (September 7, 2006)
• Google is Evil (August 4, 2006)
• If You Build It, They'll Crash It (July 7, 2006)
• New Terrorist Profile: Phone Users (June 13, 2006)
• Microsoft's Missed Opportunity (May 3, 2006)

IT Architect (formerly Network Magazine) article series (PDF format)

• How Flawed Is Microsoft? (March 2006)
• Is Application Security Training Worth the Money? (February 2006)
• Is Sony BMG Run By Malicious Hackers? (January 2006)
• When Does Security Cross the Line? (December 2005)
• Is Security Really About Getting Nothing Done? (November 2005)
• How Bad Is Intrusion Detection? (October 2005)
• Is Cisco Naked? (September 2005)
• Is VoIP Secure Enough For Prime Time? (August 2005)
• Is Penetration Testing a Good Idea? (July 2005)
• Are Cell Phones the Next Target? (June 2005)
• How Does Security Fit With Engineering? (May 2005)
• Is Your Mac Really More Secure? (April 2005)
• Where Does Trust Come From? (March 2005)
• Are We In a Computer Security Renaissance? (February 2005)
• Innovative Rootkits: The Ultimate Weapon? (January 2005)
• How Do Real Bad Guys Break Software? (December 2004)
• Application Security Testing Tools: Worth the Money? (November 2004)
• Who Should Do Security? (October 2004)

Copyright © 2006, Gary McGraw