Rather than load up DI.fm upon first arriving in the office today, I listened to to a podcast with Gary McGraw who appears to be making the rounds to plug his new book.

Here are my take-aways:

• Most security people come from networking background, not software ones. This gives the bad guys who are attacking your software an unfair advantage as they are software people.
• Software people, through a lack of education, often think that security is a feature that can be added in, but security does not occur from ‘magic crypto fairy dust’
• Automated code analysis tools find bugs not flaws. People are the only things that can find those
• Seven ways to make software more secure (this list I believe makes up the book he is flogging)
  1. Good code reviews; both automated and manual
  2. Perform architectural risk analysis
  3. Do software penetration testing
  4. White-box risk based security testing
  5. Abuse cases. If a developer says “A user won’t ever do it”, do it. Then giggle evilly
  6. Have explicit security requirements for your application
  7. Operational security. This is where the network security people and the software security people put everything together.