Keynote 5 – Wild West Security

K5     Start Time : 12:00     End Time : 12:45

The Metaphor

Web software is a wild west frontier town. It’s nearly lawless, but inhabited by good folk who are mostly just trying to make an honest living. Our software faces various villains, from lawless savages to slick, well-funded bad people. Security people are the “cowboys” in this talk—but with an important catch. The cowboy is not here to rescue the townspeople from the bad guys by fighting the battles himself. The townspeople need to be taught to defend themselves using the tools they have. Software needs to be defended like the towns in western films where the townsfolk band together and drive off the villains. Sure, the hero might duel with the bad guy—it might be down to security folks to wrestle with the hardest security design issues. But the town will be safe only when the townspeople (developers, business folks, operations, etc.) all do their individual parts to secure it.

The Moral

The moral of this tale is that software people can’t call for the cowboy to fight their battles for them. Even if we see ourselves as cowboys, our job is to train and empower the townspeople to fight for themselves. We must get developers developing securely, business people thinking security in user stories, testers testing for security, and operations (and devops) doing their part, too. I end the talk by exhorting my audience to “deputize” developers, testers, project managers, and so on.

The slides sent along with this submission are just a start. The conclusion is talking about each role in the Software village (e.g., devops, business analysts, product owners, IT security, etc.) and how the gunslinging security professional can enlist their help meaningfully to fight for software security. It will include real examples from real organisations who are doing a good job securing their software.

Want to attend? Book your Conference Place

  • Speaker


    Paco Hope - , Cigital Ltd, United Kingdom

    Author of two security books and frequent conference speaker, Paco Hope is a Principal Consultant with Cigital Ltd and has been working in the field of software security for nearly 15 years. Paco helps clients in the financial, retail, and online gaming industries build secure software by performing source code review and architectural risk analysis. He is also a member of an advisory council with (ISC)² and serves as a subject matter expert for the CISSP and CSSLP security certifications.