Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Why AppSec Matters
1. InnoTech Austin 2011 The OWASP Foundation
http://www.owasp.org
Why AppSec Matters?
Matt Tesauro
OWASP Foundation Board Member
matt.tesauro@owasp.org
2. <Who is>
Broad IT background
Developer, DBA, Sys Admin, Pen Tester, Application
Security professional, CISSP, CEH, RHCE, Linux+
Long history with Linux and Open Source
Contributor to many projects
Leader of OWASP Live CD / WTE
OWASP Foundation Board Member
Cyber Security Engineer Lead at Rackspace
2
3. First some notes...
This talk includes some speculation on my
part
The intention is to get you to think a bit
about the topic
* Disclaimer: Views of Matt do not
necessarily represent those of OWASP...
3
7. For those that missed ToorCon...
“Real Men Carry Pink Pagers”
Girl Tech brand
IM-Me device
modified to:
open garage doors
clone RFID tags
“Diagnostic tool” for
smart meters
7
16. Air France Flight 447
June 1st 2009
Automated telemetry data shows that the software lost
trust in on of the two inertial guidance systems
Black box has not been found
Shoebox in Paris under 3,000 m of water
Multiple condition software
failure followed by the
powered flight into the water
Over 200 people killed
16
20. Open Web Application Security Project
First some quick review
•Software is everywhere
•Software has problems
Why do these problems exist in software?
•Why can't we have an ecosystem of secure software?
20
21. Why does software have problems?
People implicitly trust software
•Smart phones & *Store
•The Internet
Blame Developers for software problems
•We'll never hack our way secure
Security of software is hidden
•How do you tell that app is secure?
21
22. This cycle is toxic to to the
software security
ecosystem.
22
26. Incentives against secure & rugged software
No liability – EULA excuses all
First mover advantage
The market doesn't reward secure software
The market doesn't reward transparency
aka visibility
26
27. Software, as we are building it today,
is an unsafe building material.
The physical engineering disciplines figured
this out a long time ago
27
28. How is software an unsafe building material?
Can't inspect software (generally speaking)
Can't assess complex failures easily by
testing
Can't fix a flaw if you find one (DMCA)
Can't learn from failures
Regulation and/or standards???
28
29. Regulation problems
Jurisdiction
•Software is everywhere, but
not all business have a regulatory body
Talent and ability
•Do regulators have budget and talent to actually
test software
No business likes regulation
29
30. NHTSA
National Highway Transportation Safety Agency
Active and competent agency with a history of
enforcing auto safety
Enter the Toyota Prius
•NHTSA admitted they didn't have people trained to
test software in cars
•Borrowed 50 engineers
from NASA
•Good stop gap but what
about next time?
30
32. What we need
Software we can inspect.
Software we can test.
Software where security is visible.
(transparency)
Software that is rugged.
To study and learn from failures.
32
37. A few closing thoughts
The blackbox, faith-based cycle of trust must end
•Realize the truth of this and work for change
Prevent problems rather then cope with the
aftermath of software failure.
•Some harm has no easy remedy e.g. death.
•Post harm at best causes redistribution of capital
but more likely just blame.
37
38. Questions?
Download it free at: Sintel
http://www.sintel.org Independent film produced by the Blender
Foundation using free and open software
38
39. The giants who lent me their shoulders:
Jeff Williams & Dave Wichers
AppSec US 2010 and DHS Software Assurance Day
presentations – many bits and pieces from these
Eben Moglen (Software Freedom Law Center)
“When Software is in Everything: Future Liability
Nightmares Free Software Helps Avoid”
David Rice
His wonderful keynote at AppSec US 2010 on
software security, externalities and pollution.
Karen Sandler et al
“Killed by Code: Software Transparency in
Implantable Medical Devices”
39