Software Integrity Blog


A guide to Gary McGraw’s AppSec USA keynote

I had a blast delivering the Friday morning keynote at AppSec USA this year. The only uncomfortable part was the 8 a.m. start. Whose idea was that?!

You can watch the keynote here on YouTube.

I watched the keynote myself this morning (which, for what it’s worth, is a pretty painful process, as there is always stuff you would do differently). It’s interesting to contemplate the difference in the feeling you get delivering a live talk and watching a recorded version. Anyway, here is a quick guide to the key ideas in the talk as I see it.

  • Start (8:38)
  • Java security (11:30)
  • Building secure software (12:37)
  • Grace Hopper bug (14:20)
  • Why I say “software security” and not “application security” (18:00)
  • What is a software security group? You MUST have one for #swsec. (20:20) Also see Software [In]security: You Really Need a Software Security Group
  • Bugs versus flaws and the myopic overfocus on bugs. NOT only a stupid little tool!! (23:00)
  • C is bad (27:33), page 164 of K&R in “the bible” is just awful, C++ is worse. (28:45)
  • “Get done go home” and code review reality. Use a tool. (29:56)
  • TOCTOU, re-entrant code and TIME. (31:20)
  • Dynamic languages and node.js (oh NO!) Houston, we have a problem. (30:30)
  • Cleanup on aisle 7 (Mandiant) security versus @ieeecsd and fixing the design. (37:40)
  • Scale static analysis and FIX THE CODE!!! (40:30)
  • Bugs versus flaws and 50%/50% (or 70%/70%) and WHY the @ieeecsd exists. (42:35)
  • The @ieeecsd and how it got started with REAL software security design flaws. (44:40)
  • David Chalmers, philosophy, and zombies which are good. (47:30)
  • Retail and software security. Ridiculous. New leadership from the government will waste five years. (49:20)
  • Why developers do not like the security team. Tip: Do not hit developers in the face with a pen test. (51:28)
  • Too much weight on pen testing (X3). Yes, you should do it, but be smart about it. (52:28)
  • Automate pen testing and test your whole portfolio. (54:14)
  • Where the BSIMM came from the SDLC and SDL methodology problem. (59:55)
  • Badness-ometers “you can’t test security in” @moxie in a jar. (1:01:40)
  • Why there is no security meter tool. TOOLS ALONE CAN’T DO IT! (1:02:50)
  • Zombie baby: FIX THE DANG SOFTWARE. (1:05:05)
  • Why “threat modeling” is the wrong term versus architecture analysis. (1:07:08)
  • BSIMM by the numbers. We are 1/29th of the way done. (1:09:30)
  • Measurement, science, improvement, and #swsec #BSIMM. (1:13:45)
  • Why the English system of measurement is awesome. (1:14:42)
  • The US government is way behind in software security. Five years behind. (1:18:10)

Hope you find this little guide helpful.


More by this author