Trillions of Lines of Code and Counting - Securing Applications At Scale

Black Hat USA 2011

Presented by: Brad Arkin, Jeremiah Grossman, Alex Hutton, John Johnson, Adrian Lane
Date: Thursday August 04, 2011
Time: 10:00 - 11:00
Location: Augustus V + VI
Track: Scoping the Issue

As the entire computer security industry is fully and painfully aware, applications are the #1 target for malicious attack. Whether we're talking exploitation of Web browsers, file readers, or Web applications, the root of the problem is the same, vulnerable software -- trillions of lines worth of code and counting. Now that almost every person, government, and company is online, it's difficult to imagine a bigger, more challenging, complex, and important problem to solve than application security.

Today, application security is about program execution at a scale large enough to match the threat - and that's the hard part. On an internet-wide scale, how do we go about writing more secure code? How do we deal with the massive backlog of vulnerable code already in wide circulation? What are the best strategies for ensuring code remains secure as threats evolve?

This is but a taste of the questions on the topic that our panelists, all respected experts with relevant field experience, will be ready to discuss.

Jeremiah Grossman

Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co-founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA, CSI, HiTB, OWASP, ISSA, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks. Grossman is often quoted in the the business and technical press. Prior to WhiteHat, Grossman was an information security officer at Yahoo!

Brad Arkin

Brad Arkin is the senior director of product security and privacy at Adobe. In his role, Arkin leads the Adobe Secure Software Engineering Team (ASSET) responsible for ensuring Adobe's products are designed, engineered and validated using security best practices, as well as the Product Security Incident Response Team (PSIRT) dedicated to responding to and communicating about security issues. Prior to joining Adobe, Arkin held management positions at StepNexus, Symantec, @Stake and Cigital. He is currently a board member of SAFECode, the Software Assurance Forum for Excellence in Code, and a member of the BSIMM (Building Security In Maturity Model) advisory board. Arkin holds a BS in computer science from the College of William and Mary, an MS in computer science from George Washington University, and an MBA from Columbia University and London Business School.

Alex Hutton

Alex Hutton is a Sr. Analyst in Risk Intelligence with Verizon Business. Mr. Hutton has served as an information risk and security consultant for over 15 years, serving companies from the Fortune 10 to the SMB market. He has also served as Product Manager for security product vendors, and as an executive in two security start-up companies. He is a co-author of the Verizon Data Breach Investigation (2009), writes regularly for the Verizon Security Blog and the New School of Information Security blog. Alex also contributes to the Cloud Security Alliance, ISM3 security management standard, the CIS metrics project and the Open Group Security Forum. In 2007ITSecurity.com named Alex one of the industries 59 most influential people.

John Johnson

Dr. Johnson is currently a senior security manager for John Deere. He manages technical security programs across more than 130 John Deere business units in 160 countries worldwide. John has been responsible for architecting solutions that have been critical to maintaining global network security at John Deere. John is a frequent speaker and member of peer groups, industry panels, advisory councils, and has served as board member for several professional societies. John is an adjunct professor, course designer, author and security blogger. Prior to working at John Deere, John was security manager for the Theoretical Division, Los Alamos National Laboratory. John is a frequent lecturer on computer security and member of peer groups, industry panels and advisory councils.

Adrian Lane

Adrian is a CTO and Analyst at Securosis, bringing over 24 years of industry experience to the research team, much of it at the executive level. Adrian specializes in database security, data security, and software development. With experience at Ingres, Oracle, and Unisys, he has extensive experience in the vendor community, but brings a pragmatic perspective to selecting and deploying technologies having worked on "the other side" as CIO in the finance vertical. Prior to joining Securosis, Adrian served as the CTO/VP at companies such as IPLocks, Touchpoint, CPMi and Transactor/Brodia. He has been invited to present at dozens of security conferences, and regularly contributes to Dark Reading, Information Security Magazine and other security publications. Adrian is a Computer Science graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats