Silver Bullet turns 2: Mary Ann Davidson

[gem at cigital.com (Gary McGraw)]

Thanks for the feedback Stephen.  It's been a blast doing Silver Bullet for the last two years.

For our next episode, I'm going to interview Jon Swartz who covers security for USA Today.  That should be a twist!  
We're also planning to syndicate Silver Bullet through informIT soon.

gem

p.s. Can we have your permission to post this comment on the SB page?

http://www.cigital.com/~gem


On 4/4/08 1:19 AM, "Stephen Craig Evans" <stephencraig.evans at gmail.com> wrote:


Gary,

Great interview. You've had some powerhouse interviews recently, for example with Chris Wysopal ("my dream is that a 
static tool can fix business logic flaws") and Ed Amoroso ("security researchers are the bomb defusers of the 
Internet").

I laughed at your blunt comment: "that would be great (everybody doing software assurance in 5 years) but also 
impossible".

Andrew, in addition to your points:

- I liked her self-deprecating humor when she talked about her coding skills

- I think she made a justified, underhanded jab at the appsec community to make our stuff easier to use when she said:
(At 4m 55sec) "There are a lot of people who are very well-intended and very sharp who come up with laundry lists of 
8000 good things that we should do in security and all these things we should be doing and all these metrics - and 
that's all great, but then ... what is the benefit for the cost of getting that information?" and "the do-gooders, and 
in this case I mean it in a good sense, need to do is to help people figure out what are the most important things to 
do first so that they'll get the biggest bang for the buck".

- I liked her point, using a military analogy, is that products should be self-defended.

Cheers,
Stephen

---------------------------------------------------
From: Andrew van der Stock <vanderaj at owasp.org>
Date: Thu, Mar 27, 2008 at 7:32 AM
Subject: Re: [SC-L] Silver Bullet turns 2: Mary Ann Davidson
To: Gary McGraw <gem at cigital.com>
Cc: Kathy Clark-Fisher <KClark-Fisher at computer.org>, Mary Ann Davidson
<mary.ann.davidson at oracle.com>, Secure Mailing List
<SC-L at securecoding.org>


Gary,

 Good interview.

 The discussion on being unable to develop trust relationships with
 contractors who release exploits was interesting, and I wished that
 there was more discussion on that point. I would have thought signing
 a contract made it easier to sue for breach of contract than untested
 laws (or bad laws like the UK's RIPA), so much so you'd really think
 twice as well as the negative downside of being considered
 untrustworthy with confidential data - which is like a plague to any
 consultancy business.

 I really wish Ms Davidson had gone into detail on their SDL, as to
 what is really in there, and where we could read it and review it.

 Oracle's is an interesting turn around considering back in 2005 /
 2006, the research community and Oracle's relationship was at an all
 time low, essentially begging Oracle to put in an SDL and address the
 security defects properly without outside folks finding them first.

 I have since read that fences have been somewhat mended between
 researchers, such as David Litchfield, and Oracle. I still wince at
 that episode - it was entirely unprofessional of Oracle to attack
 Litchfield, who was practicing responsible disclosure for up to
 600-800 days, when 30 is the norm. I personally was extremely
 unimpressed with Oracle's approach of shooting the messenger rather
 than fixing the product.

 I must admit that episode led me to dismiss Oracle as the walking dead
 as they obviously couldn't be trusted with data of value, and so
 didn't follow news about Oracle ... until this interview.

 I'm glad they're now using automated SCA tools and fuzzers, they're
 now finding most of the security issues themselves, have an internal
 review team, and my personal favorite - developer awareness /
 education. This is a 180 degree turnaround from the prior to 2005/2006
 era. I particularly like that she's going to the universities and ask
 them to teach coding security. This is what they SHOULD have been
 doing rather than attacking the research community.

 I'm glad that Oracle is now drinking the kool aid and treating
 security as a fundamental software engineering requirement. It's about
 time.

 thanks,
 Andrew van der Stock
 Lead Author, OWASP Guide to Writing Secure Applications and OWASP Top 10






 _______________________________________________
 Secure Coding mailing list (SC-L) SC-L at securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 _______________________________________________