"What Could Possibly Go Wrong?" - Thinking Differently About Security

Presented at AppSec USA 2013, Nov. 20, 2013, 2 p.m. (50 minutes)

Video of session: https://www.youtube.com/watch?v=bIn-tzGezqM&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=16 Almost all security professionals have one or more headshaking security stories caused by everything from sloppy design to execrable coding to insanely asymmetric risk assumption. Technical acumen is not enough if we want to improve actual security (instead of improving our job security): we need to think about, and talk about, security differently.   This means absorbing the language, constructs and lessons of other disciplines from economics (systemic risk) to military history and tactics (force multipliers). It means understanding the limits of technology, that there are "unknown unknowns" and that humans are all too fallible (and there's no upgrade coming). Lastly, it requires the techno-proficient among us to learn to de-geek our speak so that we can express security concerns in terms that decision makers and policy makers can understand: "barbarians are at the gate" is so much more understandable and actionable than "there's a manifestation of a theoretic weakness in the Visigoth detection protocol."

Presenters:

• Mary Ann Davidson - Chief Security Officer - Oracle
  Mary Ann Davidson is the chief security officer at Oracle, responsible for Oracle software security assurance. She represents Oracle on the board of directors of the Information Technology Information Sharing and Analysis Center (IT-ISAC), and serves on the international board of the Information Systems Security Association (ISSA). She has been named one of Information Security's top five "Women of Vision," is a Federal 100 Award recipient from Federal Computer Week, and was recently named to the ISSA Hall of Fame. Davidson has served on the Defense Science Board and was a member of the Center for Strategic and International Studies Commission on Cybersecurity for the 44th Presidency. She has testified on cybersecurity to the US House of Representatives (Energy and Commerce Committee, Armed Services Committee, and Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology), and the US Senate Committee on Commerce, Science, and Technology. Davidson has a BS in mechanical engineering from the University of Virginia and an MBA from the Wharton School of the University of Pennsylvania. She received the Navy Achievement Medal when she served as a commissioned officer in the US Navy Civil Engineer Corps.

Links:

• https://appsecusa2013.sched.com/event/13j7uwd/what-could-possibly-go-wrong-thinking-differently-about-security
• https://infocon.org/cons/OWASP/AppSecUSA 2013/Thinking Differently About Security - Mary Ann Davidson.mp4

Similar Presentations:

• AppSec USA 2013 / The Perilous Future of Browser Security
• Black Hat USA 2010 / Security is Not a Four Letter Word
• AppSec USA 2013 / Application Security: Everything we know is wrong