The Internet is on fire, and every connected device and user is at risk. How did we get here? By not seeing the dangers ahead, by being lazy and by not understanding the threats we are facing and the consequences of failing at building secure and robust infrastructure. This needs to change, and you need to contribute.

1. DON’T JUST STAND THERE – GRAB A BUCKET
THE INTERNET IS ON FIRE

2. This needs to change, or there is no sustainable, digital future.
THE INTERNET IS ON FIRE AND EVERY
CONNECTED DEVICE IS AT RISK

3. I’m calling every developer to pick up the proverbial bucket.
And if you deploy any kind of code, that includes you.
Yes, you.
THIS IS A CALL TO ARMS

4. | WHERE ARE WE?
Our technology is not optional anymore.

5. | WHERE ARE WE?
In the wake of the digitalization of everything and our rapid and greedy
adoption of new technology, criminals and spies have followed.
The internet, all our technology and the digitalized society is under constant
attack from criminals, spies and in some cases even our own governments.
The Internet is “on fire”, and every connected device – and user – is at risk.
This is a reality. It’s not up for discussion anymore.

6. | WHERE ARE WE?
We don’t know how many security incidents go undetected,
but the very realistic fear is that it may be a vast majority of them.
Of the detected incidents only 30 % were
detected by the targeted organization themselves.
Of these 30 %, a whopping 90 % were detected during exfiltration.
The average time of detection of an espionage incident is over 200 days.

7. | WHERE ARE WE?
There are typically at least 10 errors or defects in every 1 000 lines of code.
This can typically be reduced to less than 1 error or defect in every 1 000 lines
of production code after rigorous testing.
There is typically left 1 exploitable vulnerability per 1 000 000 lines of code.
Every year there are several severe and exploitable vulnerabilities in the
majority of popular software. The same seems to be true for hardware.

8. | WHERE ARE WE?
And yet, code now runs almost everything, everywhere.
There is hardly any aspect of life where we aren’t using modern IT technology.
To quote Melissa Hathaway: “We have put every critical system on the backbone
of the Internet, but the Internet wasn't ready for it.”
The proof is readily available. Every month you hear about major security
breaches with big consequences for people, companies and countries.

9. | WHERE ARE WE?
We’ve joined the party without proper protection.

10. | WHERE ARE WE?
The technological foundation of digitalized society is crumbling.

11. | HOW DID WE GET HERE?
By being lazy…

12. | HOW DID WE GET HERE?
By making wrongful assumtions…

13. | HOW DID WE GET HERE?

14. | HOW DID WE GET HERE?

15. | HOW DID WE GET HERE?
Conclusion: Only 3 % of all detected security incidents were detected
by the targeted organization themselves before it was to late.
Background: Badly written, badly deployed and badly configured code are
the enablers for a huge part of the avalanche of security
incidents we are currently experiencing.
Consequence: The vulnerabilities we introduce in code and IT infrastructure
are threatening our personal lives, our businesses, our
governments and in reality also our societies.

16. | WHERE ARE WE HEADING?
Towards the proverbial, digital cliff…?

17. | WHERE ARE WE HEADING?
You need to be aware of how terrible this technology is.
It is not protecting you.
This is not the safe version of the future you’ve seen on Star Trek.
This is the dirty ugly version of the future.
Everything is a bad neighborhood now.
– Dr. Paul Vixie

18. | WHERE ARE WE HEADING?
Possibly to a near future were we can’t trust our digital ground.

19. | HOW CAN WE AVOID THIS?
Customer demands.
Probably not until it’s “too late”…
Industry self-regulation and competition.
Few signs of that happening…
Laws and regulations.
Too little, too late – and probably not the way we’d want it…

20. | HOW CAN WE AVOID THIS?
But we can also do it bottom-up.

21. | HOW CAN WE AVOID THIS?
We can – and should – educate ourselves, and do better.

22. • Accept that your code will be deployed in ways you never imagined.
• Accept that absolutely all code you deploy will be attacked.
• Don’t assume that anyone else will mitigate vulnerabilities in your code.
• Don’t assume that exploiting your code will only affect your application.
• Accept that lives at some point will depend on the robustness of your code.
OUR SUSTAINABLE DIGITAL
FUTURE STARTS WITH YOU
DEPLOYING BETTER CODE

23. http://iamthecavalry.org/
@iamthecavalry
Go pick up a bucket
and say after me:
I’ll pitch in to fix it,
I am the Cavalry!
Be the Cavalry. Build more secure and robust systems even if no-one demands it.

24. We need a better and more
sustainable digital future, and the
world needs your contribution
SECURITY IS ALL ABOUT
SUSTAINABILITY

25. /presenter$ whoami
• Name: Frode Hommedal
• Homepage: http://frodehommedal.no/
• Twitter: @FrodeHommedal
• LinkedIn: https://no.linkedin.com/in/hommedal