Software Integrity


A guide to Gary McGraw’s AppSecUSA keynote

I had a blast delivering the Friday morning keynote at AppSecUSA this year. The only uncomfortable part was the 8am start. Whose idea was that?!

You can watch the keynote here on YouTube.

I watched the keynote myself this morning (which for what it’s worth is a pretty painful process as there is always stuff you would do differently). It’s interesting to contemplate the difference in the feeling you get delivering a live talk and watching a recorded version. Anyway, here is a quick guide to the key ideas in the talk as I see it.

  • (start 8:38)
  • Java Security (11:30)
  • Building Secure Software (12:37)
  • Grace Hopper bug (14:20)
  • Why I say “software security” and not “application security”. (18:00)
  • What is a Software Security Group. You MUST have one for #swsec. (20:20) Also see Software [In]security: You Really Need a Software Security Group
  • Bugs versus flaws and the myopic over focus on bugs. NOT only a stupid little tool!! (23:00)
  • C is bad (27:33) page 164 of K&R in “the bible” is just awful C++ is worse. (28:45)
  • “Get done go home” and code review reality. Use a tool. (29:56)
  • TOCTOU, re-entrant code and TIME. (31:20)
  • Dynamic languages and node.js (oh NO!) Houston, we have a problem. (30:30)
  • Cleanup on aisle 7 (Mandiant) security versus @ieeecsd and fixing the design. (37:40)
  • Scale static analysis and FIX THE CODE!!! (40:30)
  • Bugs versus flaws and 50%/50% (or 70%/70%) and WHY the @ieeecsd exists. (42:35)
  • The @ieeecsd and how it got started with REAL software security design flaws. (44:40)
  • David Chalmers, philosophy, and zombies which are good. (47:30)
  • Retail and software security. Ridiculous. New leadership from the government will waste five years. (49:20)
  • Why developers do not like the security team. Tip: Do not hit developers in the face with a pen test. (51:28)
  • Too much weight on pen testing (X3). Yes, you should do it, but be smart about it. (52:28)
  • Automate pen testing and test your whole portfolio. (54:14)
  • Where the BSIMM came from the SDLC and SDL methodology problem. (59:55)
  • Badnessometers “you can’t test security in” @moxie in a jar. (1:01:40)
  • Why there is not security meter tool. TOOLS ALONE CAN’T DO IT! (1:02:50)
  • Zombie baby: FIX THE DANG SOFTWARE. (1:05:05)
  • Why “threat modeling” is the wrong term versus architecture analysis. (1:07:08)
  • BSIMM by the numbers. We are 1/29th of the way done. (1:09:30)
  • Measurement, science, improvement, and #swsec #BSIMM. (1:13:45)
  • Why the English system of measurement is awesome. (1:14:42)
  • The US government is way behind in software security. Five years behind. (1:18:10)Hope you find this little guide helpful.

More by this author