Software Integrity

 

A guide to Gary McGraw’s AppSecUSA keynote

I had a blast delivering the Friday morning keynote at AppSecUSA this year. The only uncomfortable part was the 8am start. Whose idea was that?!

You can watch the keynote here on YouTube or download the audio only version from SoundCloud.

I watched the keynote myself this morning (which for what it’s worth is a pretty painful process as there is always stuff you would do differently). It’s interesting to contemplate the difference in the feeling you get delivering a live talk and watching a recorded version. Anyway, here is a quick guide to the key ideas in the talk as I see it.

  • (start 8:38)
  • Java Security (11:30)
  • Building Secure Software (12:37)
  • Grace Hopper bug (14:20)
  • Why I say “software security” and not “application security”. (18:00)
  • What is a Software Security Group. You MUST have one for #swsec. (20:20) Also see Software [In]security: You Really Need a Software Security Group
  • Bugs versus flaws and the myopic over focus on bugs. NOT only a stupid little tool!! (23:00)
  • C is bad (27:33) page 164 of K&R in “the bible” is just awful C++ is worse. (28:45)
  • “Get done go home” and code review reality. Use a tool. (29:56)
  • TOCTOU, re-entrant code and TIME. (31:20)
  • Dynamic languages and node.js (oh NO!) Houston, we have a problem. (30:30)
  • Cleanup on aisle 7 (Mandiant) security versus @ieeecsd and fixing the design. (37:40)
  • Scale static analysis and FIX THE CODE!!! (40:30)
  • Bugs versus flaws and 50%/50% (or 70%/70%) and WHY the @ieeecsd exists. (42:35)
  • The @ieeecsd and how it got started with REAL software security design flaws. (44:40)
  • David Chalmers, philosophy, and zombies which are good. (47:30)
  • Retail and software security. Ridiculous. New leadership from the government will waste five years. (49:20)
  • Why developers do not like the security team. Tip: Do not hit developers in the face with a pen test. (51:28)
  • Too much weight on pen testing (X3). Yes, you should do it, but be smart about it. (52:28)
  • Automate pen testing and test your whole portfolio. (54:14)
  • Where the BSIMM came from the SDLC and SDL methodology problem. (59:55)
  • Badnessometers “you can’t test security in” @moxie in a jar. (1:01:40)
  • Why there is not security meter tool. TOOLS ALONE CAN’T DO IT! (1:02:50)
  • Zombie baby: FIX THE DANG SOFTWARE. (1:05:05)
  • Why “threat modeling” is the wrong term versus architecture analysis. (1:07:08)
  • BSIMM by the numbers. We are 1/29th of the way done. (1:09:30)
  • Measurement, science, improvement, and #swsec #BSIMM. (1:13:45)
  • Why the English system of measurement is awesome. (1:14:42)
  • The US government is way behind in software security. Five years behind. (1:18:10)Hope you find this little guide helpful.