NSA Veteran Speaks On Software Security

AusCERT has concluded and the boys over at Risky Business Podcast have posted quite a few one on one interviews with some of the speakers.  One such interview is with Brian Snow, former Technical Director of IAD for the National Security Agency.

Mr. Snow talks about some of the challenges that software development firms face when considering the gravity of the risks being accepted by not weaving security into the SDLC.  Snow goes on to say that developers participating in a given project cannot be objective enough to accurately determine it's defects.

I can go with Snow on the result, but not on the cause.  Most developers aren't in any position to determine whether or not their code is secure.  That said, it's not a result of being too close to the product.  It's that software security training never comes up for most developers.  Not in college, not on the job, not on their own.  It never shows up.

I believe that Developers CAN learn to locate issues in their own code.  The act of writing tests and rolling boundary cases through an application isn't a completely foreign concept.  Security bugs are a defect like anything else.  Nothing magical or mysterious, just another class of software defect that needs to be addressed and given the proper amount of attention to prevent.

Mr. Snow goes on though to talk about issues that absolutely are at the heart of the problem, such as the rush to market and the inability of firms to consider targeted malice.  Business unit pressure for time and costs often squeeze out the feature of adequate security testing.

There's nothing really earth shattering about this talk, but I get a little excited when application security is getting air time.

Posted in Programming, Security, conferences | No Comments »

Developer.Exit()

Yesterday was my last day as a full-time .Net developer. I've taken a new position that has more of a focus toward information security. Hopefully I won't be dumping all of my development skills. I'll still continue with research and items that interest me on the home front, but I will likely be focusing much more time toward security/administration/etc.

As a side note, my supervisor gave me a lovely parting gift that any code monkey would be proud to receive:

Fuel for the soul.

Posted in Programming, Site News | No Comments »

Materials From HITB 2008 Dubai Now Available

In case you didn't make it to Hack In The Box Dubai this year, the materials are now available online. Some speakers of note that might be of interest are Adrian Pastor and PDP of GNUCITIZEN, Cesar Cerrudo as well as a keynote delivery by Jeremiah Grossman.

Hopefully we'll see some videos posted soon to supplement the slide and code dumps.

Posted in Security, conferences | No Comments »