KEYNOTE: Is the Future of AppSec Human?
Did you know that GitHub reports 500 times more developers than security experts? That means we’re developing software faster than we can manually check it.
Unfortunately, it also means the status quo gives offense a permanent advantage. We all know that defense needs to check software at the speed and scale of development, while offense just needs to find one exploitable bug in deployed software.
In 2016, DARPA asked if there was a better approach. They asked whether it was possible to build an autonomous appsec stack – a sort of autopilot for appsec – that could run at machine speeds and scale. The answer was yes, but using technology that few would have initially guessed. The base of the tech stack was fuzzing and symbolic execution.
The question we now face: how do we change the world to adopt the proven fully automatic approach? How does the automatic tech stack differ from what’s found in practice, and what are the barriers to making the world safer? Is the future of appsec human, or a machine?
David Brumley, ForAllSecure
ForAllSecure CEO David Brumley received his PhD in Computer Science from Carnegie Mellon University, MS in Computer Science from Stanford University, and a BA in Mathematics from the University of Northern Colorado. Brumley is a tenured Professor of Electrical & Computer Engineering at Carnegie Mellon University, and was Director of the university-wide security and privacy institute. Brumley is the author of over 50 publications in computer security and has received numerous awards, including the US PECASE award from President Obama, the highest award in the US for early career scientists and engineers.
In 2012, Brumley, along with his graduate students Athanasios Avgerinos and Alexandre Rebert, co-founded ForAllSecure with the mission to secure the world's critical software. In 2016, ForAllSecure went on to win the DARPA Cyber Grand Challenge with Mayhem, ForAllSecure’s autonomous cyber security system.
