Software Security Engineering (Learnings from the past to fix the future)
Speaker(s): Debasis Mohanty
Audience: Software Engineering Team Members (Developers, Architects, Engineering Managers etc.), Technology or Product Companies Key Stakeholders, Application Security Enthusiasts, Pretty much anyone who has interests in software security engineering
Over the last 20 years, exponential growth in technology and technological advancement has led to a significant increase in an application or software attack surface. If these applications become part of an organisation’s internal or external facing infrastructure, it inherently increases an organisation overall attack surface. Interestingly, most security bugs the industry has been dealing with these days have been around for at least two decades.
Suppose you are responsible for ensuring application security for your organisation or a vital member of the software engineering team and dealing with known security issues affecting these applications year after year. In that case, there are few critical questions to ask yourself.
Is it challenging to entirely eradicate any known application security bugs in a single application and across all the applications in your organisation? Does your product team observe the nature of security bugs identified and mitigated in a particular application/software release, continues to surface back in future releases? Have you made a move to DevSecOps, or considering migrating away from Waterfall and Agile with the hope that it would take care of all the security bugs in your applications/software.
If the answer to either or all of the above questions is “Yes”, then this talk is for you.
This talk will have no fancy demos; instead, this talk will cover some of the crucial aspects of software security engineering and strategy that most organisations have overlooked or ignored. The key to ensuring maximum possible security resilience in an application/software against known and unknown threats is hidden in past events. Therefore, there will be past examples covered during the talk to learn from and retrospect to fix future security problems in an application/software.
It is quite possible to eliminate known security bugs entirely across all the applications in an organisation and prevent them from reoccurring. While achieving 100% resilience against zero-day threats for your software is less likely, it is quite possible to achieve at least 99.99% security resilience in application/software to defend against variants of know security bugs.
This talk will provide some food for thoughts on how to steer software security engineering in an organisation to achieve such results. Among all the solutions I’d cover, none of those will lead to DevSecOps. You’ll find out why during the talk.
Debasis has over 20+ years of insightful experience in Offensive and Defensive security. He got into security as early as 1997-1998 when there were limited online resources, and one had to self-learn and rely more on textbooks, MSDN resources (Windows), or man pages (Linux/Unix) than on the internet.
A large part of his background has been working closely with software engineering companies to evangelise security at various stages of the software development lifecycle.
Although not limited to, he specialises in application security, infrastructure security; exploit development, and reverse engineering. While he has made several contributions towards the security community in the form of tools, exploits, and whitepapers, one of his notable contributions has been a remote Microsoft Windows exploit (MS08-067), which is still used on many occasions by the penetration testers.