No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities

Presented at RVAsec 2019, May 22, 2019, 4 p.m. (50 minutes).

In software development, we frequently see the same logical coding mistakes being made repeatedly over the course of a project’s lifetime, and often across multiple projects. When these mistakes lead to security vulnerabilities, the consequences can be severe. No one knows this better than companies like Google and Microsoft, whose software is used by millions of people every day. With each code vulnerability discovered, we’re presented with an opportunity to investigate how often this mistake is repeated, whether there are any other unknown vulnerabilities as a result, and implement an automated process to prevent it reappearing. In this talk, I’ll be introducing Variant Analysis, a new process being pioneered by security teams at a number of companies including Google and Microsoft, that does just this. I’ll discuss how it can be integrated into your development and security operations, and also share some stories from the trenches.

Presenters:

  • Sam Lanning - Semmle Inc
    Sam started working at Semmle in October 2014, after deciding to drop out of his Masters at Oxford University after having completed his undergraduate Computer Science degree there. Sam was the first full-time developer for Semmle’s LGTM platform and worked on it for over 3 years before becoming a developer advocate. Sam’s has been an active member of the security and privacy community for a while, with a particular interest in vulnerability research, cryptography, and peer-to-peer networks, having previously contributed to Signal’s Android and Desktop clients, among other open-source projects. Most recently, in his free time, he’s been working on an open-source project that ties together music and lighting.

Links:

Similar Presentations: