Security beyond the Badness-ometers
- By John K. Waters
I missed my favorite security guru's presentation at SD West on Friday, but I finally managed to
get a weekend with his new book. (Yeah, I know... I need to get a life.)
In my defense, Gary McGraw's latest, Software Security: Building Security
In, is a real page-turner. It's the third book in the White Hat/Black
Hat Trilogy. The first was Building Secure Software: How to Avoid Security
Problems the Right Way (Addison-Wesley, 2001), which he penned with
security expert John Viega, founder of Secure Software. It features a white
cowboy had on the cover. (I think it's a Stetson.) The second was Exploiting
Software: How to Break Code (Addison Wesley, 2004), which he wrote with the
semi-legendary Greg Hoglund, the founder of rootkits.com. It features the black hat.
McGraw’s latest book combines his extensive knowledge of the both sides of
the force into a kind of yin-and-yang of best practices for building secure
software. (So, you guessed it, there's a black and a white hat on the
''You can't do software security effectively without wearing two hats,''
McGraw told me when we talked at the recent RSA security show. ''You’ve got to
do the good-guy stuff, but you've got to do some of the bad-guy stuff, too.
You’ve got to build it right, but then you’ve got to attack it to see if it's
In Secure Software, McGraw's first solo effort, he sets out seven
software security touchpoints, developed, he says, through years of practicing
applied software security in the real world. He shows how these touch points can
be applied to various artifacts produced by all developers, whatever their
development methodologies, to produce more secure software. In his day job,
McGraw is the CTO of Cigital, a Northern
Virginia-based software security consulting firm, and the touchpoints are
aligned with Cigital's approach to enterprise software security.
McGraw has been preaching the gospel of security through better software for
years. He estimates that he's talked with tens of thousands of developers at
trade shows and conferences, and he believes that his message has been heard.
The new book, he hopes, will eliminate any lingering excuses not to act on the
problem: ''People are always saying, 'Okay, I get what you're saying, but I
don't know what do about it.' This book tells you what to do about it.''
McGraw has great faith in the abilities of developers to adopt secure coding
practices—once they get past the allure of testing tools that promise to provide
a hacker-in-a-box fix for their security problems. He calls those tools
''If you run canned tests against your code, and they find
problems, you know that you’re code sucks,'' he says. ''If you run the same
tests against your code and they don’t find anything, you don’t really know
anything. It goes from deep trouble to, ‘Who knows?’ It’s a very good thing to
know when you’re in deep trouble, so these tools have some value. But you
haven't gotten inside your code to look for bugs and flaws; you’ve just poked
it with a pointy stick. It’s better to poke it than do nothing, but let’s not
celebrate because the badness-ometer read zero.''
McGraw says he wrote the new book to provide a down-to-earth,
hands-on, how-to guide for software security, and I'd have to say that he has
largely succeeded. With this book, McGraw is also really starting to come into
his own as a writer. He’s a funny guy (not hilarious), very earthy, and he
speaks plainly without ever talking down to his audience. Of the three ‘’Hat’’
books, this is definitely my fav.
John K. Waters is a freelance writer based in Silicon Valley. He can be reached