Software Security Engineering (Learnings from the past to fix the future)

The presentation discusses the reasons why old security bugs continue to persist in the industry and proposes better mitigation strategies.

• Machine learning can be used to prevent malicious actions by training it to do behavioral checks
• DevSecOps is not a silver bullet for software security engineering and should not be hyped as such
• The way organizations respond to bug reports contributes to the persistence of old security bugs
• Mitigation strategies that only fix reported bugs or prioritize based on risk rating are inadequate
• Publicly reported security bugs should be taken seriously and addressed promptly

The speaker highlights the importance of addressing all instances and variants of a bug in an application, not just the reported one. Failure to do so can result in missing other instances and variants of the same bug in the same application, leading to a lack of software resilience against known security bugs. Additionally, the speaker emphasizes the need to take publicly reported security bugs seriously and promptly address them to prevent their contribution to the global number of security bugs.

Abstract:Over the last 20 years, exponential growth in technology and technological advancement has led to a significant increase in an application or software attack surface. If these applications become part of an organisation's internal or external facing infrastructure, it inherently increases an organisation overall attack surface.Interestingly a vast majority of security bugs the industry have been dealing with these days have been around for at least two decades.Suppose you are responsible for ensuring application security for your organisation or a vital member of the software engineering team and dealing with known security issues affecting these applications year after year. In that case, there are few critical questions to ask yourself.Is it challenging to entirely eradicate any known application security bugs in a single application and across all the applications in your organisation? Does your product team observe the nature of security bugs identified and mitigated in a particular application/software release, continues to surface back in future releases? Have you made a move to DevSecOps, or considering migrating away from Waterfall and Agile with the hope that it would take care of all the security bugs in your applications/software.If the answer to either or all of the above questions is "Yes", then this talk is for you.This talk will have no fancy demos; instead, this talk will cover some of the crucial aspects of software security engineering and strategy that most organisations have overlooked or ignored.The key to ensuring maximum possible security resilience in an application/software against known and unknown threats is hidden in past events. Therefore, there will be past examples covered during the talk to learn from and retrospect to fix future security problems in an application/software.It is quite possible to eliminate known security bugs entirely across all the applications in an organisation and prevent them from reoccurring. While achieving 100% resilience against zero-day threats for your software is less likely, it is quite possible to achieve at least 99.99% security resilience in application/software to defend against variants of know security bugs.This talk will provide some food for thoughts on how to steer software security engineering in an organisation to achieve such results. Among all the solutions I'd cover, none of those will lead to DevSecOps. You'll find out why during the talk.