Presented at
CanSecWest 2022,
May 19, 2022, 10:30 a.m.
(60 minutes)
Did you know that GitHub reports 500 times more developers than security experts? That means we’re developing software faster than we can manually check it.
Unfortunately, it also means the status quo gives offense a permanent advantage. We all know that defense needs to check software at the speed and scale of development, while offense just needs to find one exploitable bug in deployed software.
In 2016, DARPA asked if there was a better approach. They asked whether it was possible to build an autonomous appsec stack – a sort of autopilot for appsec – that could run at machine speeds and scale. The answer was yes, but using technology that few would have initially guessed. The base of the tech stack was fuzzing and symbolic execution.
The question we now face: how do we change the world to adopt the proven fully automatic approach? How does the automatic tech stack differ from what’s found in practice, and what are the barriers to making the world safer? Is the future of appsec human, or a machine?
Presenters:
-
David Brumley
- ForAllSecure
Dr. David Brumley is CEO and co-founder of ForAllSecure and a full professor at Carnegie Mellon University. His accomplishments include winning the DARPA Cyber Grand Challenge, a United States Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama, a Sloan Foundation award, a Carnegie Science Award, several patents, numerous academic papers, a DEFCON black badge, creating picoctf.com, and helping create and mentor PPP, one of the most competitive hacking teams in the world.
Links:
Similar Presentations: