I had a blast delivering the Friday morning keynote at AppSec USA this year. The only uncomfortable part was the 8 a.m. start. Whose idea was that?!
You can watch the keynote here on YouTube.
I watched the keynote myself this morning (which, for what it’s worth, is a pretty painful process, as there is always stuff you would do differently). It’s interesting to contemplate the difference in the feeling you get delivering a live talk and watching a recorded version. Anyway, here is a quick guide to the key ideas in the talk as I see it.
- Start (8:38)
- Java security (11:30)
- Building secure software (12:37)
- Grace Hopper bug (14:20)
- Why I say “software security” and not “application security” (18:00)
- What is a software security group? You MUST have one for #swsec. (20:20) Also see Software [In]security: You Really Need a Software Security Group
- Bugs versus flaws and the myopic overfocus on bugs. NOT only a stupid little tool!! (23:00)
- C is bad (27:33), page 164 of K&R in “the bible” is just awful, C++ is worse. (28:45)
- “Get done go home” and code review reality. Use a tool. (29:56)
- TOCTOU, re-entrant code and TIME. (31:20)
- Dynamic languages and node.js (oh NO!) Houston, we have a problem. (30:30)
- Cleanup on aisle 7 (Mandiant) security versus IEEE Center for Secure Design and fixing the design. (37:40)
- Scale static analysis and FIX THE CODE!!! (40:30)
- Bugs versus flaws and 50%/50% (or 70%/70%) and WHY the IEEE CSD exists. (42:35)
- The IEEE CSD and how it got started with REAL software security design flaws. (44:40)
- David Chalmers, philosophy, and zombies which are good. (47:30)
- Retail and software security. Ridiculous. New leadership from the government will waste five years. (49:20)
- Why developers do not like the security team. Tip: Do not hit developers in the face with a pen test. (51:28)
- Too much weight on pen testing (X3). Yes, you should do it, but be smart about it. (52:28)
- Automate pen testing and test your whole portfolio. (54:14)
- Where the BSIMM came from the SDLC and SDL methodology problem. (59:55)
- Badness-ometers “you can’t test security in” @moxie in a jar. (1:01:40)
- Why there is no security meter tool. TOOLS ALONE CAN’T DO IT! (1:02:50)
- Zombie baby: FIX THE DANG SOFTWARE. (1:05:05)
- Why “threat modeling” is the wrong term versus architecture analysis. (1:07:08)
- BSIMM by the numbers. We are 1/29th of the way done. (1:09:30)
- Measurement, science, improvement, and #swsec #BSIMM. (1:13:45)
- Why the English system of measurement is awesome. (1:14:42)
- The US government is way behind in software security. Five years behind. (1:18:10)
Hope you find this little guide helpful.