The Application Security Ponzi Scheme: Stop paying for security failure

Presented at AppSec USA 2012, Oct. 26, 2012, 2 p.m. (45 minutes).

Consider the major classes of threats that have been significantly mitigated in the past. For OS vulnerabilities, DEP and ASLR have greatly improved the security of every supporting OS. For applications, ORMs have greatly reduced SQL Injection and auto-encoding has greatly reduced XSS. Common to both of these are fundamental changes in the underlying OS or framework, which produces hardened applications without any extra work for developers. Has the scan, fix, rescan cycle finally lost its allure? Matt and Jarret provide their incites into how to revolutionize the app security industry. Come participate in the discussion or just poke holes in Matt and Jarret's grandiose dream. Maybe you'll want to passionately defend your corner of the app sec world. Whichever you choose, it will be fun.


Presenters:

  • Matt Tesauro - Senior AppSec Engineer - Duo Security
    Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security. Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at the University of Texas and Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline & WTE projects. WTE is a collection of application security testing tools and the AppSec Pipeline project brings lessons from DevOps and Agile into Application Security. He holds two degrees from Texas A&M University and several security and Linux certifications.
  • Jarret Raim - Rackspace
    Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace?s internal software teams as well as defined strategy for building secure systems on Rackspace?s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant for Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide variety of both development environments and the tools used to audit them. Jarret has recently taken charge of Rackspace's efforts to secure the Cloud through new product development, training and research. Jarret holds a Masters in Computer Science from Lehigh University and Bachelors in Computer Science from Trinity University.

Links: