Software Security from a Specialist: Gary McGraw

I just listened to an excellent interview with Gary McGraw, a security guru, in the Software Engineering Radio, and I suggest software developers to hear it too.

Some points he touched:

  • Software security is about how to approach computer security if you are a developer or a software architect.
  • Security problems come from 2 points: (a) bad or buggy implementation as buffer overflows etc and (b) lack or poor architectural risk analysis. So even if you took a lot of care while writing the code you may have forgotten completely to authenticate users. This is a bad design (b) issue. Both problems — implementation and design — must be mitigated.
  • You can’t be 100% secure, but if you have considered security in the design and in the implementation of your software, you will be a lot better than simply shipping software without thinking about security.
  • Although people may have very good reasons to think that Open Source software is less secure than closed source because a cracker can see the code and find flaws, the bad guys actually use the binary version of a software to find the flaws, using low level debuggers, stack analyzers, decompilers and other kinds of things. Open Source software is not really in any worse shape that any other kind of software. He also says that Open Source software is not also better, from a security perspective. He does not believe in that theory that everybody is looking at the code and may find and fix bugs. Me neither.

I guess this is my last post of 2007 and I wish everybody a happy new year.