Application Security: Everything we know is wrong

Presented at AppSec USA 2013, Nov. 21, 2013, noon (50 minutes)

Video of session: The premise behind this talk is to challenge both the technical controls we recommend to developers and also our actual approach to testing and developing secure software.  This talk is sure to challenge the status quo of web security today. "Insanity is doing the same thing over and over and expecting different results." - Albert Einstein We continue to rely on a "pentest" to secure our applications. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability? Our testing methodologies are non-consistent and rely on the individual and the tools they use; Some carpenters use glue and some use nails when building a wooden house. Which is best and why do we accept poor inconsistent quality. Fire and forget scanners won't solve security issues. Attackers take time and skill but our industry accepts the output of a software programme to help ensure security? How can we expect developers to listen to security consultants when the consultant has never written a line of code? Why don't we ask ‘How much code development have you done, seen as you are assessing my code for security bugs?" Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. - it's all code injection theory!! Why do we do this and make security bugs over complex? Why are we still happy with "Testing security out" rather than the more superior "building security in"?


  • Eoin Keary - CTO and Founder - BCC Risk Advisory Ltd.
    Eoin Keary is an international board member of OWASP. He leads the OWASP code review project. Eoin is the CTO and founder of BCC Risk Advisory Ltd.He has also led global security engagements for some of the world's largest financial services and consumer products companies. Eoin is a well known technical leader in industry in the area of software security and penetration testing.Eoin lives in Dublin, Ireland.


Similar Presentations: