Bringing Autonomy to AppSec – Dr. David Brumley – ESW #255
Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren’t going to go away with current approaches like SAST and SCA. Why? They are:
-40 years old, with little innovation
-Haven’t solved the problem.
In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different:
-Prove bugs, rather than trying to list all of them.
-Zero false positives, which leads to better autonomy.
Segment Resources:
Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge
Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them
Example vulns discovered:
https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot
https://github.com/forallsecure/vulnerabilitieslab Visit https://www.securityweekly.com/esw for all the latest episodes!
Bringing Autonomy to AppSec
Guests
|
Dr. David Brumley – CEO and Co-Founder at ForAllSecure
Dr. Brumley is the CEO and co-founder of ForAllSecure, a company with the mission to secure the world’s software. He is also is an Associate Professor at Carnegie Mellon University (currently on leave) with a primary appointment in the Electrical and Computer Engineering Department and a courtesy appointment in the Computer Science Department. He is also the previous Director of CyLab, the CMU Security and Privacy Institute. His research focuses on software security. Prof. Brumley received his Ph.D. in Computer Science from Carnegie Mellon University, an MS in Computer Science from Stanford University, and a BA in Mathematics from the University of Northern Colorado. He served as a Computer Security Officer for Stanford University from 1998-2002 and handled thousands of computer security incidents in that capacity. He is the faculty mentor for the CMU Hacking Team Plaid Parliament of Pwning (PPP), which is ranked internationally as one of the top teams in the world according to ctftime.org. The team was ranked #1 in 2011, #2 in 2012, and #1 in 2013, and won DefCon 2013. He received the USENIX Security best paper awards in 2003 and 2007, an ICSE distinguished paper award in 2014. Prof. Brumley honors include being selected for the 2010 DARPA CSSP program and 2013 DARPA Information Science and Technology Advisory Board, a 2010 NSF CAREER award, a 2010 United States Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama (the highest award in the US for early career scientists according to wikipedia), and a 2013 Sloan Foundation award. |
Hosts
|
Adrian Sanabria – Senior Research Engineer at CyberRisk Alliance @sawaba
Adrian is an outspoken researcher that doesn’t shy away from uncomfortable truths. He loves to write about the security industry, tell stories, and still sees the glass as half full. |
|
Tyler Shields – CMO at JupiterOne @txs
Tyler advises, guides, and operates high tech startups primarily in the B2B security space. He is a former market analyst, engineer, product manager, marketing leader, and partnership manager. In other words, Tyler builds and grows businesses – in all aspects. He’s a board advisor, angel investor, and board member at multiple firms and an investment advisor for a venture debt business. He loves to play guitar and poker in his free time. |
Announcements
-
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!