Presentation Material
Abstract
The applications on the web, mobile, and the cloud, all have one thing in common: They are all insecure. And in this world that is rife with software vulnerabilities, if there were just seven things you are allowed to place in the bag entitled “software development” and the condition that is imposed on you is that the output from that bag must be secure, what would they be?
In this talk, the seven qualities that will enable your organization to develop reliable and hacker resilient software will be covered. Coverage in scope will be from the builder to the boardroom.
Take aways from the session will include strategies to consider and implement within your organization as you develop software, whether it is for the cloud, mobile devices, or the web.
AI Generated Summary
The talk presented a framework for developing highly secure software, arguing that current industry practices often produce insecure code due to reactive, tool-centric approaches and pervasive security myths. The speaker defined highly secure software as reliable, resilient under attack, and recoverable, emphasizing that absolute hacker-proofing is impossible but difficulty can be maximized.
The core of the presentation was the enumeration of seven essential qualities for such software:
- Security Built-In: Security must be proactively integrated into the software development lifecycle (SDLC) from requirements gathering through retirement, not bolted on later. This includes training, threat modeling during design, secure coding practices, static/dynamic analysis, and secure deployment.
- Functionality Maps to a Security Plan: Software features must be directly tied to a comprehensive, granular security plan that identifies applicable requirements (e.g., regulatory, internal policies) and defines both proactive safeguards and reactive countermeasures.
- Foundational CIA/AAA: A baseline of Confidentiality, Integrity, Availability, Authentication, Authorization, and Auditing must be architecturally embedded.
- Adaptable: Security controls must evolve to address changing threat landscapes, including mobile and cloud environments.
- Resilient: The system must withstand attacks and maintain operational integrity.
- Recoverable: If compromised, the system must restore normal operations.
- Retirable: Secure disposal or sanitization of data and components at end-of-life is critical.
Key techniques advocated included thorough threat modeling to identify entry points and attack surfaces, and a risk-based, management-focused approach that ties security controls to business functionality and compliance requirements. The speaker debunked common myths such as the sufficiency of perimeter defenses, SSL for data-at-rest protection, or the notion that security is solely an IT responsibility.
Practical implications stress a holistic, lifecycle-oriented shift from tactical tool use to strategic process integration. Organizations must develop specific security plans, perform root cause analysis on vulnerabilities, and ensure all teams—from development to operations—share responsibility for building security in from the outset, covering all phases including secure installation, continuous monitoring, and proper retirement.