The software market is broken - at least as far as security is concerned. When security is invisible, buyers can't make informed decisions, and vendors have no incentive to create secure applications. Forcing vendors with liability and regulatory regimes encourages vendors to bury details about security and will not fix the market. This is exactly why OWASP's mission is "to make application security visible, so that people and organizations can make informed decisions about true application security risks." We believe improved visibility will, over time, create a market for software that is not riddled with vulnerabilities. Even making simple facts visible can make a difference, such as whether the developers who built the software were trained in security, the security controls present in the software, the process used to build and test the software, etc... Currently, even the most basic facts are helpful, such as the languages used, the number of lines of code, libraries used, and connections made. This is not the time to let perfect be the enemy of good enough. We need software security labels now, so Jeff will release a free and open tool to help you create your own “Security Facts” labels at this talk!
Jeff Williams is the founder and CEO of Aspect Security, specializing exclusively in application security professional services. Jeff also serves as the volunteer Chair of the Open Web Application Security Project (OWASP). He has made extensive contributions to the application security community through OWASP, including writing the Top Ten, WebGoat, Secure Software Contract Annex, Enterprise Security API, OWASP Risk Rating Methodology, and starting the worldwide local chapters program. If nothing else, Jeff is probably the tallest application security expert in the world and likes nothing better than discussing new ideas for changing the way we build software.