FROC2010 Abstract Chess
The Presentation: "Watching Software Run: Beyond Defect Elimination"
No matter how good programmers get at making secure software, it will never be perfect—we will always have to contend with incomplete or inadequate code. Most efforts at living with bad code have focused on shoring it up from the outside: limiting network access or watching for suspicious behavior. This session takes a different perspective, it looks at methods for identifying and blunting the effects of software shortcomings from the inside by watching the software run. For some years now we've focused on eliminating well-known classes of defects such as SQL injection and cross-site scripting. This is a battle worth fighting, and there are big benefits to eliminating defects early, but we will never be able to make perfect software. Instead we must build software that allows us to compensate for defects after the fact.
On the cloud computing front, much of the energy around security in the cloud has gone towards either figuring out how cloud customers and cloud vendors can trust each other, or finding ways to deliver security as a service in the cloud. The more interesting challenges come from a less explored topic: creating code that's ready for the cloud. The usual suspects (SQL injection and XSS) are uglier in the cloud because it's harder to defend against them with network devices, but more generally cloud-ready code needs to take its security with it wherever it goes. This puts additional emphasis on some old refrains (eliminate defects early) and creates new emphasis on creating software that's able to defend itself.
The Speaker: Brian Chess, Ph.D.
Brian Chess is a founder of Fortify Software and serves as Fortify’s Chief Scientist, where his work focuses on practical methods for creating secure systems. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.