Why Can’t Johnny Program Securely?

Why Can’t Johnny Program Securely?

The October 2022 tech talk was presented by Robert Seacord

Abstract

Secure coding (unsurprisingly) is hard. Our educational systems have failed to properly prepare students, and our assessments have overestimated their abilities. Analysis and testing is useful but inadequate. This presentation will discuss the gap in qualified secure coders and what we can do to eliminate it.

About the Presenter 

Robert C. Seacord is the Standardization Lead at Woven Planet, where he works on the software craft. Robert was previously a Technical Director at NCC Group, Secure Coding Manager at Carnegie Mellon’s Software Engineering Institute, and an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University.

He is the author of seven books, including Effective C: An Introduction to Professional C Programming (No Starch Press, 2020), The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014) Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). He has also published more than 50 papers on software security, component- based software engineering, web-based system design, legacy-system modernization, component repositories and search engines, and user interface design and development. Robert has been teaching secure coding in C and C++ to private industry, academia, and government since 2005. He started programming professionally for IBM in 1982, working in communications and operating system software, processor development, and software engineering; he  also has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System. Robert is on the advisory board for the Linux Foundation and is an expert at the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language.

Putting the “Sec” in DevSecOps… Quantified

Putting the “Sec” in DevSecOps… Quantified

The March 2021 tech talk was presented by Larry Maccherone

Abstract:

A guiding principle of Comcast Cybersecurity is that we are no longer gatekeepers, but rather coaches and toolsmiths. Another, is that we favor building security in over bolting it on. Together, what this means is that the ownership of the problem of the security of the products shifts primarily to the teams that are developing those products. Further, the role of the cybersecurity group at Comcast shifts to supporting those engineering teams by developing and providing self-service tools that prevent problems or give automated feedback. We then provide coaching to help teams understand how best to use those tools and whatever other DevSecOps practices they need to adopt.

This talk dives deeper into what the above paragraph means and then presents original research quantifying the impact that various DevSecOps practices have on security risk outcomes so you can make an informed decision what to focus on first.

About the Presenter 

Larry Maccherone is an industry-recognized thought leader on Lean/Agile, Analytics, and DevSecOps. He currently leads the DevSecOps transformation at Comcast as a Distinguished Engineer. Previously, Larry led the Insights product line at Rally Software where he published the largest ever study correlating development team practices with performance. Before Rally, Larry worked at Carnegie Mellon with the Software Engineering Institute (SEI) and CyLab for seven years conducting research on cybersecurity and software engineering.

Contact Larry on his LinkedIn page: https://www.linkedin.com/in/LarryMaccherone