The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon.

(Beginning with this episode, Silver Bullet will be available as a 192k MP3.)

• Emergent Chaos blog
• The New School of Information Security
• Microsoft’s SDL
• Cigital’s Touchpoints
• IEEE Security & Privacy magazine
• Wassily Kandinsky
• The CardSystems breach (2005)
• Thomas Pynchon

For the 21st episode of The Silver Bullet Security Podcast, Gary hosts a panel discussion with Cigital’s principals. Participants include Sammy Migues (Director of Training and Knowledge Management), John Steven (Principal Consultant) and Pravir Chandra (Principal Consultant). The group discusses the best ways for large companies to get started with software security and the similarities between CLASP, Microsoft’s SDL, and the Security Touchpoints. They also ponder how much the security testing burden should fall on QA and whether developing expertise in architectural risk analysis or threat modeling is more helpful. John Steven also discusses the hole in his dining room, which threat modeling would not have helped to prevent.

• Transcript of this episode [PDF]
• Justice League blog
• Threat Modeling - a blog entry by John Steven
• OWASP Top 10 for 2007
• OWASP
• The Shmoo Group