From: Gary McGraw (gem[at]
To: Secure Code Mailing List (SC-L[at]
Cc: Eric Baize (, Bill Brenner (bbrenner[at]
Date: Tue, 3 Mar 2009 04:11:42 -0500
Subject: [SC-L] Reality Check: EMC Eric Baize

Greetings from Leuven sc-l,

Our fearless leader Ken gave a nice presentation on software security methodologies 
yesterday at secappdev.  I wonder what he says about the Touchpoints when I'm not
in the room?!

The third episode of Reality Check went live this morning.  The episode features a 
conversation with Eric Baize who runs EMC's very impressive software security
initiative.  EMC is an example of an initiative following their own methodology by 
borrowing good ideas from SDL and also the Touchpoints.  Lots of good stuff about
software security practicalities:

Don't forget that Reality Check is syndicated by CSO Online (it's a good way to 
infect upper management with software security ideas).



Always curious when I see wording like this. What exactly makes them 'impressive', and why their methodology fails to find overflows, arbitrary code execution, denial of service, SQL injection, arbitrary file access, encryption weakness, format strings, default accounts (persistent no less!), privilege escalation and more. Oh, all of that since 2005..

Why can't anyone in our industry show some balls and ask these companies hard questions. Why can't they take companies with poor security histories and hold them to the light, expose them for what they are?

All of this from a show called "Reality Check"? Really?

main page ATTRITION feedback