Keynote:Computer and Network Security: I Think We Can Win! presented at AppSec USA 2013

by William R. Cheswick,

Summary : Some think that computer and network security is a lost cause. I have spent forty years in the field, and it is discouraging that we have made few advances, and lost a lot of ground: our current technologies and practices are clearly unable to keep attackers out of our business.
Bob Morris said that security people are paid to think bad ideas, and I have had a lot of them. The threats are persistent, but not really advanced in most cases. I remain optimistic: it is still early in the game. These are our computers, our software, our network wiring. We have plenty of CPU cycles and storage and daunting cryptography. We ought to be able to win this battle---we have the home field advantage!
Some things are pretty clear to me at this point: user education and strict edicts are an inadequate substitute for good engineering; a good scientific measure of security still eludes us and is probably an intractable problem; standards compliance and checklists don't solve the problem; and our industry has not improved over the decades.
What does a cure look like? It is still early in the game, our software designs and user interfaces are still at the level of the Ford Model T. I will try to describe some of the technology and scenarios that may be part of the solutions.