Gary McGraw

Gary McGraw
Gary McGraw
Alma mater	PhD, Cognitive Science and Computer Science - Indiana University B.A. Philosophy - University of Virginia
Title	Vice President of Security Technology at Synopsys, Inc.

Last updated October 21, 2021

Gary McGraw is an American computer scientist, author, and researcher.

Education

McGraw holds a dual PhD in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from the University of Virginia.^[1] His doctoral dissertation is titled "Letter Spirit: Emergent High-Level Perception of Letters Using Fluid Concepts."^[2]

Career

McGraw was the Vice President of Security Technology at Synopsys.^[3] Before Cigital was acquired by Synopsys, he was Chief Technical Officer at Cigital.^[4] He produced the Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT). ^[5] Gary McGraw serves on the Dean's Advisory Council for the School of Informatics of Indiana University. He also serves on the advisory boards of several companies,^[6] including Dasient (acquired by Twitter), Fortify Software (acquired by Hewlett-Packard), Max Financial, Invotas, Wall+Main, Invincea (acquired by Sophos), and Raven White. In the past, Gary McGraw has served on the IEEE Computer Society Board of Governors.^{[ citation needed ]}

Books

Gary is an author of many books and over 100 peer-reviewed publications on IT security.

Software Security: Building Security In, ISBN 978-0-321-35670-3
Exploiting Software: How to Break Code (with Greg Hoglund), ISBN 978-0-201-78695-8
Building Secure Software: How to Avoid Security Problems the Right Way (with John Viega), ISBN 978-0-321-77495-8
Java Security (with Edward Felten), ISBN 978-0-471-17842-2
Exploiting Online Games: Cheating Massively Distributed Systems (with Greg Hoglund), ISBN 978-0-13-227191-2
Software Security Engineering: A Guide for Project Managers (with Julia H. Allen, Sean J. Barnum, Robert J. Ellison, and Nancy R. Mead) ISBN 978-0-321-50917-8
Software Fault Injection (with Jeffrey M. Voas) ISBN 978-0-471-18381-5
Securing Java: Getting Down to Business with Mobile Code (with Edward Felten), ISBN 978-0-471-31952-8

Notes

↑ "The University of Virginia". www.virginia.edu. Retrieved 2015-10-02.
↑ McGraw, Gary (1995). "Indiana University, Bloomington IN". Indiana University. The Center for Research on Concepts and Cognition. Archived from the original on 10 September 2015. Retrieved 2 October 2015.
↑ "Software Security Expert Opinion | Gary McGraw" . Retrieved December 21, 2017.
↑ Mills, Elinor (2010-05-12). "Gary McGraw on developing secure software (Q&A)". CNet.
↑ McGraw, Gary; Migues, Sammy (2010-12-29). "Driving Efficiency and Effectiveness in Software Security". InformIT.
↑ "Business". www.cigital.com. Retrieved 2015-10-02.

Related Research Articles

Software engineering is the systematic application of engineering approaches to the development of software.

Static program analysis is the analysis of computer software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing. In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.

In software development, Linus's law is the assertion that "given enough eyeballs, all bugs are shallow".

In software engineering, a software design pattern is a general, reusable solution to a commonly occurring problem within a given context in software design. It is not a finished design that can be transformed directly into source or machine code. Rather, it is a description or template for how to solve a problem that can be used in many different situations. Design patterns are formalized best practices that the programmer can use to solve common problems when designing an application or system.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Temporal Key Integrity Protocol is a security protocol used in the IEEE 802.11 wireless networking standard. TKIP was designed by the IEEE 802.11i task group and the Wi-Fi Alliance as an interim solution to replace WEP without requiring the replacement of legacy hardware. This was necessary because the breaking of WEP had left Wi-Fi networks without viable link-layer security, and a solution was required for already deployed hardware. However, TKIP itself is no longer considered secure, and was deprecated in the 2012 revision of the 802.11 standard.

In the context of software engineering, software quality refers to two related but distinct notions:

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, e.g., in a file format or protocol and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are "valid enough" in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are "invalid enough" to expose corner cases that have not been properly dealt with.

Software assurance (SwA) is defined as "the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner."

Robert C. Seacord is an American computer security specialist and writer. He is the author of books on computer security, legacy system modernization, and component-based software engineering.

In computer science, attack patterns are a group of rigorous methods for finding bugs or errors in code related to computer security.

Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.

Michael Gregory Hoglund is an American author, researcher, and serial entrepreneur in the cyber security industry. He is the founder of several companies, including Cenzic, HBGary and Outlier Security. Hoglund contributed early research to the field of rootkits, software exploitation, buffer overflows, and online game hacking. His later work focused on computer forensics, physical memory forensics, malware detection, and attribution of hackers. He holds a patent on fault injection methods for software testing, and fuzzy hashing for computer forensics. Due to an email leak in 2011, Hoglund is well known to have worked for the U.S. Government and Intelligence Community in the development of rootkits and exploit material. It was also shown that he and his team at HBGary had performed a great deal of research on Chinese Government hackers commonly known as APT. For a time, his company HBGary was the target of a great deal of media coverage and controversy following the 2011 email leak. HBGary was later acquired by a large defense contractor.

John Viega is an American computer security author, researcher and professional.

Cigital was a software security managed services firm based in Dulles, VA. The services they offered included application security testing, penetration testing, and architecture analysis. Cigital also provided instructor-led security training and products such as SecureAssist, a static analysis tool that acts as an application security spellchecker for developers.

Mordechai M. "Moti" Yung is a cryptographer and computer scientist known for his work on cryptovirology and kleptography.

Carl E. Landwehr is an American computer scientist whose research focus is cybersecurity and trustworthy computing. His work has addressed the identification of software vulnerabilities toward high assurance software development, architectures for intrusion-tolerant and multilevel security systems, token-based authentication, and system evaluation and certification methods. In an invited essay for ACSAC 2013, he proposed the idea of developing building codes for building software that is used in critical infrastructures. He has organized an NSF funded workshop to develop a building code and research agenda for medical device software security. The final committee report is available through the Cyber Security and Policy Institute of the George Washington University, and the building code through the IEEE.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

References

Ben Rothke. "Software Security: Building Security In", Security Management magazine
Radu State. Review of "Software Security: Building Security In by Gary McGraw", ACM Queue 4(7):44 (2006)
"Software Security : Building Security In", Palizine, Issue #18 February 2006
Robert Bruen. "Software Security. Building Security In", Cipher (IEEE magazine), Jan 5, 2006
Alen Prodan. "Exploiting Software: How to Break Code", Help Net Security, 21 July 2004
A. Mariën. Review of "Exploiting Software: How to Break Code by Greg Hoglund and Gary McGraw", ACM Queue , 3(4):60 (2005)
Robert Bruen. "Exploiting Software. How to Break Code", Cipher (IEEE magazine), January 13, 2004
Aleksandar Stancin. "Building Secure Software: How to Avoid Security Problems the Right Way", Help Net Security
Robert Bruen. "Building Secure Software. How to Avoid Security Problems the Right Way", Cipher (IEEE magazine), January 9, 2002
Diomidis Spinellis. "Book review: Building Secure Software: how to Avoid Security Problems the Right Way", ACM Computing Reviews, 43(4):103–104, April 2002.

External links

Gary McGraw's personal home page

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "The University of Virginia". www.virginia.edu. Retrieved 2015-10-02.

[2] McGraw, Gary (1995). "Indiana University, Bloomington IN". Indiana University. The Center for Research on Concepts and Cognition. Archived from the original on 10 September 2015. Retrieved 2 October 2015.

[3] "Software Security Expert Opinion | Gary McGraw" . Retrieved December 21, 2017.

[4] Mills, Elinor (2010-05-12). "Gary McGraw on developing secure software (Q&A)". CNet.

[5] McGraw, Gary; Migues, Sammy (2010-12-29). "Driving Efficiency and Effectiveness in Software Security". InformIT.

[6] "Business". www.cigital.com. Retrieved 2015-10-02.

[1]

[2]

[3]

[4]

[5]

[6]

Authority control
General	Integrated Authority File (Germany) ISNI 1 VIAF 1 WorldCat
National libraries	France (data) United States Czech Republic Korea Netherlands
Scientific databases	DBLP (computer science)
Other	SUDOC (France) 1