what could go wrong – thinking differently about security at app sec usa

speaker: Mary Ann Davidson

The speaker is from Oracle. I’ve never seen a non-Java or database presentation from them. Even so, I was suprised Oracle doesn’t make her put the standard loong disclaimer on there.

“Translation” is a key skill – ask dumb questions, ask why something is a problem without being condescending
Policymakers need to undertstand issues to make good decision. [otherwise you get policies like “developers can’t use the internet at work”

Analogies help when work. Can be humorous if not
One Little Dutch Boy stops water in dyke. “If only we had 300K Little Dutch Boys” – they will all drown when the dam breaks.
Fridge on network. Forgot password “family of five starves to death, locked out of refrigerator”

Principled vs purist

  • World isn’t perfect. Neither is security.
  • Real metric is whether customers are protected. How fast you patch is less important; customers don’t like patches. Won’t apply if think will break something.


  • Systemic risk (housing meltdown) – cannot be mitigated. Think about how to avoid systemic risk. The internet was not designed for everything to be on it such as fridges. Doesn’t mean all advances are bad. Have discussions before taking risk
  • Efficient resource allocation – time, money and QUALIFIED people are always constrained. Opportunity cost. If make do something silly, will crowd out more valuable work.
  • Market incentive – One off patches are expensive. Would rather build something new.

Game theory – Prisoner’s Dilemma

  • Should someone defect and sell encryption code to another country? Hasn’t happened


  • Chemical signaling – what if systems could communicate under attack and update defenses
  • Deception – we have honeypots


  • Network centric warfare – translate information advantage into competitive advantage. Time to live infomation advantage
  • This makes the network itself a battlefield that you need to defend
  • Atacker’s goal is to disrupt defenders ability to wage war and prevent use of IT
  • Tools need to be designed for your threat environment. Don’t want a watergun on the battlefield
  • Situational awareness – who on the network, friend or foe, what i over the hill, etc
  • Defend what is strategic; not everything


  • Can’t start security education too early. “Look both ways before crossing the Internet” – don’t open attahments
  • Universities need to reflect building IT as infrastructure
  • Vendors must educate every CS grad in basiic security and spend millions fixing avoidable preventable desig and code defects
  • CS classes must embed and reinforce security – compared to structures in engineering. It’s part of the circulum, not a one off
  • Have red team/blue team as part of all CS classes
  • Accreditation bdies should force curricula change

Developers are personally responsible for code

OODA (observe, orient, decide, act

  • Stay agile.
  • Can targets be evolving to keep opponents off balance

Solve the right problem. Not everything is a tech problem

Oracle does security with coding standards, training classes, coding standards, checklists. Not optional. When acquire groups, need to start doing. Still have resistance, but have to for cost and brand damage.

My take on this
I liked this session. It’s hard to say what you learned because it is about thinking, but the points raised were good.

1 thought on “what could go wrong – thinking differently about security at app sec usa

  1. Pingback: Application Security USA 2013 – live blog index | Down Home Country Coding With Scott Selikoff and Jeanne Boyarsky

Leave a Reply

Your email address will not be published.