Gary McGraw delivered the Friday morning keynote at AppSec USA 2014. Watch “BSIMM: A Decade of Software Security” and read along with his guide.
I had a blast delivering the Friday morning keynote at AppSec USA this year. The only uncomfortable part was the 8 a.m. start. Whose idea was that?!
You can watch the keynote here on YouTube.
I watched the keynote myself this morning (which, for what it’s worth, is a pretty painful process, as there is always stuff you would do differently). It’s interesting to contemplate the difference in the feeling you get delivering a live talk and watching a recorded version. Anyway, here is a quick guide to the key ideas in the talk as I see it.
|12:37||Building secure software.|
|14:20||Grace Hopper bug.|
|18:00||Why I say “software security” and not “application security.”|
|20:20||What is a software security group? You MUST have one for #swsec. Also see Software [In]security: You Really Need a Software Security Group.|
|23:00||Bugs versus flaws and the myopic overfocus on bugs. NOT only a stupid little tool!|
|27:33||C is bad.|
|28:45||P. 164 of K&R in “the bible” is just awful, C++ is worse.|
|29:56||“Get done go home” and code review reality. Use a tool.|
|31:20||TOCTOU, re-entrant code and TIME.|
|30:30||Dynamic languages and Node.js (oh NO!) Houston, we have a problem.|
|37:40||Cleanup on aisle 7 (Mandiant) security versus IEEE Center for Secure Design and fixing the design.|
|40:30||Scale static analysis and FIX THE CODE!|
|42:35||Bugs versus flaws and 50%/50% (or 70%/70%) and WHY the IEEE CSD exists.|
|44:40||The IEEE CSD and how it got started with REAL software security design flaws.|
|47:30||David Chalmers, philosophy, and zombies which are good.|
|49:20||Retail and software security. Ridiculous. New leadership from the government will waste five years.|
|51:28||Why developers do not like the security team. Tip: Do not hit developers in the face with a pen test.|
|52:28||Too much weight on pen testing (X3). Yes, you should do it, but be smart about it.|
|54:14||Automate pen testing and test your whole portfolio.|
|59:55||Where the BSIMM came from the SDLC and SDL methodology problem.|
|1:01:40||Badness-ometers “you can’t test security in” @moxie in a jar.|
|1:02:50||Why there is no security meter tool. TOOLS ALONE CAN’T DO IT!|
|1:05:05||Zombie baby: FIX THE DANG SOFTWARE.|
|1:07:08||Why “threat modeling” is the wrong term versus architecture analysis.|
|1:09:30||BSIMM by the numbers. We are 1/29th of the way done.|
|1:13:45||Measurement, science, improvement, and #swsec #BSIMM.|
|1:14:42||Why the English system of measurement is awesome.|
|1:18:10||The US government is way behind in software security. Five years behind.|
Hope you find this little guide helpful.