The software market is broken - at least as far as security is concerned. When security is invisible, buyers can't make informed decisions, and vendors have no incentive to create secure applications. Forcing vendors with liability and regulatory regimes encourages vendors to bury details about security and will not fix the market. This is exactly why OWASP's mission is "to make application security visible, so that people and organizations can make informed decisions about true application security risks." We believe improved visibility will, over time, create a market for software that is not riddled with vulnerabilities. Even making simple facts visible can make a difference, such as whether the developers who built the software were trained in security, the security controls present in the software, the process used to build and test the software, etc... Currently, even the most basic facts are helpful, such as the languages used, the number of lines of code, libraries used, and connections made. This is not the time to let perfect be the enemy of good enough. We need software security labels now, so Jeff will release a free and open tool to help you create your own “Security Facts” labels at this talk!
Speaker bio will be posted shortly.