Software Integrity Blog


A guide to Gary McGraw’s AppSec USA keynote

Gary McGraw delivered the Friday morning keynote at AppSec USA 2014. Watch “BSIMM: A Decade of Software Security” and read along with his guide.

I had a blast delivering the Friday morning keynote at AppSec USA this year. The only uncomfortable part was the 8 a.m. start. Whose idea was that?!

You can watch the keynote here on YouTube.

I watched the keynote myself this morning (which, for what it’s worth, is a pretty painful process, as there is always stuff you would do differently). It’s interesting to contemplate the difference in the feeling you get delivering a live talk and watching a recorded version. Anyway, here is a quick guide to the key ideas in the talk as I see it.

8:38 Start.
11:30 Java security.
12:37 Building secure software.
14:20 Grace Hopper bug.
18:00 Why I say “software security” and not “application security.”
20:20 What is a software security group? You MUST have one for #swsec. Also see Software [In]security: You Really Need a Software Security Group.
23:00 Bugs versus flaws and the myopic overfocus on bugs. NOT only a stupid little tool!
27:33 C is bad.
28:45 P. 164 of K&R in “the bible” is just awful, C++ is worse.
29:56 “Get done go home” and code review reality. Use a tool.
31:20 TOCTOU, re-entrant code and TIME.
30:30 Dynamic languages and Node.js (oh NO!) Houston, we have a problem.
37:40 Cleanup on aisle 7 (Mandiant) security versus IEEE Center for Secure Design and fixing the design.
40:30 Scale static analysis and FIX THE CODE!
42:35 Bugs versus flaws and 50%/50% (or 70%/70%) and WHY the IEEE CSD exists.
44:40 The IEEE CSD and how it got started with REAL software security design flaws.
47:30 David Chalmers, philosophy, and zombies which are good.
49:20 Retail and software security. Ridiculous. New leadership from the government will waste five years.
51:28 Why developers do not like the security team. Tip: Do not hit developers in the face with a pen test.
52:28 Too much weight on pen testing (X3). Yes, you should do it, but be smart about it.
54:14 Automate pen testing and test your whole portfolio.
59:55 Where the BSIMM came from the SDLC and SDL methodology problem.
1:01:40 Badness-ometers “you can’t test security in” @moxie in a jar.
1:02:50 Why there is no security meter tool. TOOLS ALONE CAN’T DO IT!
1:05:05 Zombie baby: FIX THE DANG SOFTWARE.
1:07:08 Why “threat modeling” is the wrong term versus architecture analysis.
1:09:30 BSIMM by the numbers. We are 1/29th of the way done.
1:13:45 Measurement, science, improvement, and #swsec #BSIMM.
1:14:42 Why the English system of measurement is awesome.
1:18:10 The US government is way behind in software security. Five years behind.

Hope you find this little guide helpful.


More by this author