Security beyond the Badness-ometers

• By John K. Waters
• March 21, 2006

I missed my favorite security guru's presentation at SD West on Friday, but I finally managed to get a weekend with his new book. (Yeah, I know... I need to get a life.)

In my defense, Gary McGraw's latest, Software Security: Building Security In, is a real page-turner. It's the third book in the White Hat/Black Hat Trilogy. The first was Building Secure Software: How to Avoid Security Problems the Right Way (Addison-Wesley, 2001), which he penned with security expert John Viega, founder of Secure Software. It features a white cowboy had on the cover. (I think it's a Stetson.) The second was Exploiting Software: How to Break Code (Addison Wesley, 2004), which he wrote with the semi-legendary Greg Hoglund, the founder of rootkits.com. It features the black hat.

McGraw’s latest book combines his extensive knowledge of the both sides of the force into a kind of yin-and-yang of best practices for building secure software. (So, you guessed it, there's a black and a white hat on the cover.)

''You can't do software security effectively without wearing two hats,'' McGraw told me when we talked at the recent RSA security show. ''You’ve got to do the good-guy stuff, but you've got to do some of the bad-guy stuff, too. You’ve got to build it right, but then you’ve got to attack it to see if it's secure.''

In Secure Software, McGraw's first solo effort, he sets out seven software security touchpoints, developed, he says, through years of practicing applied software security in the real world. He shows how these touch points can be applied to various artifacts produced by all developers, whatever their development methodologies, to produce more secure software. In his day job, McGraw is the CTO of Cigital, a Northern Virginia-based software security consulting firm, and the touchpoints are aligned with Cigital's approach to enterprise software security.

McGraw has been preaching the gospel of security through better software for years. He estimates that he's talked with tens of thousands of developers at trade shows and conferences, and he believes that his message has been heard. The new book, he hopes, will eliminate any lingering excuses not to act on the problem: ''People are always saying, 'Okay, I get what you're saying, but I don't know what do about it.' This book tells you what to do about it.''

McGraw has great faith in the abilities of developers to adopt secure coding practices—once they get past the allure of testing tools that promise to provide a hacker-in-a-box fix for their security problems. He calls those tools ''badness-ometers.''

''If you run canned tests against your code, and they find problems, you know that you’re code sucks,'' he says. ''If you run the same tests against your code and they don’t find anything, you don’t really know anything. It goes from deep trouble to, ‘Who knows?’ It’s a very good thing to know when you’re in deep trouble, so these tools have some value. But you haven't gotten inside your code to look for bugs and flaws; you’ve just poked it with a pointy stick. It’s better to poke it than do nothing, but let’s not celebrate because the badness-ometer read zero.''

McGraw says he wrote the new book to provide a down-to-earth, hands-on, how-to guide for software security, and I'd have to say that he has largely succeeded. With this book, McGraw is also really starting to come into his own as a writer. He’s a funny guy (not hilarious), very earthy, and he speaks plainly without ever talking down to his audience. Of the three ‘’Hat’’ books, this is definitely my fav.

###