Application Security: Everything we know is wrong presented at AppSec USA 2013

by Eoin Keary,

URL : http://2013.appsecusa.org/2013/wp-content/uploads/2013/12/Web-Security-%EF%BF%BD%2580%2593-Everything-we-know-is-wrong-Eoin-Keary.pptx

Summary : The premise behind this talk is to challenge both the technical controls we recommend to developers and also our actual approach to testing and developing secure software.
This talk is sure to challenge the status quo of web security today.
"Insanity is doing the same thing over and over and expecting different results." - Albert Einstein
We continue to rely on a “pentest” to secure our applications. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability?
Our testing methodologies are non-consistent and rely on the individual and the tools they use; Some carpenters use glue and some use nails when building a wooden house.
Which is best and why do we accept poor inconsistent quality.
Fire and forget scanners won’t solve security issues. Attackers take time and skill but our industry accepts the output of a software programme to help ensure security?
How can we expect developers to listen to security consultants when the consultant has never written a line of code?
Why don’t we ask ‘How much code development have you done, seen as you are assessing my code for security bugs?" Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!! Why do we do this and make security bugs over complex?
Why are we still happy with “Testing security out” rather than the more superior “building security in”?