AppSec USA 2016

As the cyber threat landscape evolves and as software dependencies grow more complex, understanding and managing risk in the software supply chain is more critical than ever, and it must focus on the entire lifecycle that includes development, acquisition, and DevOps.  The Internet of Things (IoT) is contributing to a massive proliferation of a variety of types of software-reliant, connected devices.  With IoT increasingly dependent upon third-party software of unknown provenance and pedigree, software composition analysis and other forms of testing are needed to determine 'fitness for use' and trustworthiness in terms of quality, security, safety, and licensing.  Application vulnerability correlation and management should leverage automated means for detecting threat indicators, weaknesses, vulnerabilities, and exploits.  Using standards-based automation also enables the exchange of information internally and externally with vendors in the global supply chain for IoT/ICT products.  Addressing supply chain dependencies throughout the lifecycle enables enterprises to harden their attack surface by:  comprehensively identifying exploit targets; understanding how assets are attacked, and providing more responsive course of action mitigations.

Since the dawn of the Internet and the Web, a broad series of hacking attack vectors have descended. Malicious hackers, researchers, and governments have demonstrated and deployed these attacks onto computers, mobile devices, and nuclear power plants. While we continue to build sophisticated technology to defend against many of these attacks, a new field of exciting research is taking place that uses side channels, physics, and low cost tools to employ powerful attacks against modern technology. We'll explore some of these fascinating, and often secretive, methods and how you can use them or secure against them.

The past decade has seen an unprecedented number of high-profile data breaches. To address this threat, businesses have begun to invest heavily in encryption technologies, both to protect data and to reduce liability in the event of a breach. However, the widespread deployment of encryption has placed a new burden on application developers, a burden that is made worse by the fact that many of our existing protocols and software libraries are themselves flawed. In this talk I will discuss the problems facing both cryptographers and application developers who implement cryptography. I will focus on where we stand with making cryptography easy to use; recent vulnerabilities in some of the protocols that power the secure web; and the challenging problem of securing cryptographic software against sophisticated nation-state attackers.