Bringing Autonomy to AppSec – Dr. David Brumley – ESW #255
Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren’t going to go away with current approaches like SAST and SCA. Why? They are:
-40 years old, with little innovation
-Haven’t solved the problem.
In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different:
-Prove bugs, rather than trying to list all of them.
-Zero false positives, which leads to better autonomy.
Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge
Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them
Example vulns discovered:
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Dr. Brumley is the CEO and co-founder of ForAllSecure, a company with the mission to secure the world’s software. He is also is an Associate Professor at Carnegie Mellon University (currently on leave) with a primary appointment in the Electrical and Computer Engineering Department and a courtesy appointment in the Computer Science Department. He is also the previous Director of CyLab, the CMU Security and Privacy Institute. His research focuses on software security.
Prof. Brumley received his Ph.D. in Computer Science from Carnegie Mellon University, an MS in Computer Science from Stanford University, and a BA in Mathematics from the University of Northern Colorado. He served as a Computer Security Officer for Stanford University from 1998-2002 and handled thousands of computer security incidents in that capacity. He is the faculty mentor for the CMU Hacking Team Plaid Parliament of Pwning (PPP), which is ranked internationally as one of the top teams in the world according to ctftime.org. The team was ranked #1 in 2011, #2 in 2012, and #1 in 2013, and won DefCon 2013. He received the USENIX Security best paper awards in 2003 and 2007, an ICSE distinguished paper award in 2014.
Prof. Brumley honors include being selected for the 2010 DARPA CSSP program and 2013 DARPA Information Science and Technology Advisory Board, a 2010 NSF CAREER award, a 2010 United States Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama (the highest award in the US for early career scientists according to wikipedia), and a 2013 Sloan Foundation award.