lecture: No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities


We frequently see the same types of security vulnerabilities appearing repeatedly over the course of a software project’s lifetime, and often across multiple projects. In this talk I’ll be discussing how security teams at companies such as Google and Microsoft use variant analysis to address this in their own software.

In software development, we frequently see the same logical coding mistakes being made repeatedly over the course of a project’s lifetime, and often across multiple projects. When these mistakes lead to security vulnerabilities, the consequences can be severe. No one knows this better than companies like Google and Microsoft, whose software is used by millions of people every day.

With each code vulnerability discovered, we’re presented with an opportunity to investigate how often this mistake is repeated, whether there are any other unknown vulnerabilities as a result, and implement an automated process to prevent it reappearing. In this talk, I’ll be introducing Variant Analysis, a new process being pioneered by security teams at a number of companies including Google and Microsoft, that does just this. I’ll discuss how it can be integrated into your development and security operations, share some stories from the trenches, and also show how companies are sharing their knowledge and research as open source tools and queries that everyone can benefit from.


Day: 2019-09-13
Start time: 13:15
Duration: 01:00
Room: Tesla


Concurrent events

RPKI Validation