The Talk:
We all trust software with the most important aspects of our life… but it’s a blind trust with virtually no justification. Actually, by almost any measure, application security has been failing for 20 years. Software is still riddled with vulnerabilities and gets attacked thousands of times a month - mostly undetected. Yet instead of trying different approaches, we mostly keep pushing the same futile and expensive practices harder.
In this talk, we’ll discuss why the underlying asymmetric information problem in the software market makes it impossible to make progress. And we’ll talk about how we can escape this trap, change the software market, and make software trustworthy for everyone.
About the speaker:
Jeff Williams - CTO of Contrast Security and OWASP Co-Founder
Jeff Williams is the co-founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API (ESAPI), OWASP Application Security Verification Standard(ASVS), XSS Prevention Cheat Sheet, WebGoat and many other widely adopted free and open projects. Jeff is the co-founder and the CTO of Contrast Security. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
Timeline:
00:00:04 Intro by David Flint
00:00:55 Start of Jeff's Talk
00:01:57 Slide 1: Are We Secure?
00:03:01 Slide 2: The Most Important Things In Life
00:04:58 Slide 3: Measure The Disconnect
00:06:30 Slide 4: Not Answering The Question
00:07:36 Slide 5: A 'Market For Lemons'
00:09:48 Slide 6: A Disconnected Market
00:13:55 Slide 7: Nobody's Fault
00:14:36 Slide 8: At A Crossroads...
00:15:34 Slide 9: Security In Sunshine
00:20:50 Slide 10: Transparency
00:23:51 Slide 11: Fundamentally...
00:24:06 Slide 12: Building A Security Argument 1
00:26:03 Slide 13: Building A Security Argument 2
00:26:54 Slide 14: Building A Security Argument 3
00:28:12 Slide 15: Well, Are We Secure?
00:29:04 Slide 16: Rip, Mix and Burn
00:31:10 A Quick Aside: The OWASP Benchmark
00:33:43 Slide 16: Rip, Mix and Burn Revisited
00:35:19 Slide 17: Modern, Full-Stack, Distributed Apps
00:39:10 Slide 18: Optimise For Learning
00:42:35 Slide 19: Consider Run-Time Protection
00:46:26 Slide 20: Labels
00:47:55 Slide 21: Some Pointers
00:50:33 Slide 22: AppSec Is In Its Infancy...
00:51:51 Questions and Answers
00:53:25 Question 1: Cyber Insurance
00:54:45 Question 2: Trusting Software?
00:55:53 Question 3: Producers & Consumers: Labels?
00:57:31 Question 4: Global Labelling?
01:00:54 Question 5: Open Source & Transparency?
01:03:11 Question 5: Testing foir Labelling?
01:07:20 Question 6: 5 Minutes To Write Up a Vulnerability?
01:08:15 Question 7: RASP?
01:10:44 Question 8: Demonstrations?
01:11:46 Question 9: Labelling Assessors?
01:13:37 Thank You!
01:14:17 End of Questions
01:14:20 Thanks!
01:15:16 End of Video
Resources:
Jeff's slides: www.thethirstyrobot.co.uk/OWAS...