Meeting Archives: November 2001 [IEEE Northern Virginia Chapter]

presented by

ABSTRACT
What do wireless devices, cell phones, PDA's, browsers, operating systems, network services, public key infrastructure, and firewalls have in common? The answer is "software". Software is everywhere, and it is not usually built to be secure. This talk explains why the key to proactive computer security is making software behave. With software complexity growing alarmingly—the source code base for Windows XP is 40 million lines—we have our work cut out for us. Clearly, the penetrate-and-patch approach is non-optimal. Even worse is bolting security mechanisms on as an afterthought. Building sofware properly, both at the design and implementation level, is a much better approach. This talk covers some common software security risks, including buffer overflows, race conditions, and random number generation, and goes on to discuss essential guidelines for building secure software. Applying a risk-driven approach to software security that integrates analysis and risk management throughout the software lifecycle is the key to better computer security.

BIOGRAPHY
Gary McGraw, Ph.D. is the Chief Technology Officer at Cigital. Working with Professional Services and Cigital Labs, he helps set software risk management technology strategy and oversees the technology transfer process. His aim is to bridge the gap between cutting-edge science and real-world applicability, and to transfer advanced technologies for use in the field. In addition to consulting with major commercial e-commerce vendors, including Visa and Mastercard, he founded the Software Security Group in the Consulting Services division and chairs the Cigital Corporate Technology Council.

Dr. McGraw began his career at Cigital as a Research Scientist, and he continues to pursue research in software security. He holds a dual Ph.D. in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from UVa. He has written over sixty peer-reviewed technical publications, and serves as principal investigator on grants from Air Force Research Labs, DARPA, National Science Foundation, and NIST's Advanced Technology Program.

Dr. McGraw is a member of the Technical Advisory Boards of Finjan, Counterpane and Tovaris. He also serves as an Advisor to the UC Davis Department of Computer Science. He recently chaired the National Infosec Research Council's Malicious Code Infosec Science and Technology Study Group.

Dr. McGraw is a noted authority on software security and co-authored both Java Security: Hostile Applets, Holes, & Antidotes (Wiley, 1996) and Securing Java: Getting down to business with mobile code (Wiley, 1999) with Prof. Ed Felten of Princeton. Along with Cigital co-founder and Chief Scientist Dr. Jeffrey Voas, McGraw wrote Software Fault Injection: Inoculating Programs Against Errors (Wiley, 1998). His latest book, Building Secure Software is published in Addison Wesley's Professional Computing Series (2001). Dr. McGraw regularly contributes to popular trade publications and is often quoted in national press articles.