Bug Elimination: Code Scanning, Fuzzing, and Composition Analysis

Dr. Dumont here and welcome to a series on bug elimination we’ve got three heart coach gaining buzzing and composition analysis let’s start with a little overview and talk about why this is important so you’ve probably heard of the sdl the secure development lifecycle and when we talk about creating secure software it’s not a destination it’s a journey it’s a bit more than just any one particular activity it’s a culture it’s a company and a series of people that want to do better that want to write software that makes sense that safe and secure that’s free of vulnerabilities there’s also other things technology that we can integrate and deploy and continuously integrating our process all throughout and we’re going to talk about every one of these phases for example there’s bug bounties after release software there’s all these different things you could do to coordinate with the research community we’re not going to hit every one of those points but there’s a few technologies we really want to talk about two so that you can understand how to make sure your process so as you design produce and release software we want to do that in a way that’s safe as it can be and three of these things code analysis buzzing and composition analysis can be integrated and fully part of your development lifecycle so let’s look at this is the traditional picture of the stl that you might have seen and if you look from left to right you’ll see things like training requirements design implementation verification release and response and all those are important and the more we can push those activities to the left the better we do and again we’re not going to talk about every one of these but we’re going to see that certain parts of these for example will see an implementation phase and we talked about static analysis will see why that’s so important and when we get into verification will see that fuzzing is an activity that we can also build it and finally when we look to release off or even require software that was written by somebody else we can pull it apart and see what the components are like on the inside we want to do that in case you know you haven’t really been around this industry a long time I want to give you a real sense for why this is so important imagine that you didn’t do this you didn’t take the time to write software that secure safe upfront you thought you know instead of baking it in what kind of glaze it on at the end we’ll deal with it will kind of just roll the dice and see what happens when we deploy our software you’re going to have a lot of problems right you’re gonna have to create patches you’re going to have to explain to customers why your software failed in the field you’re going to have to deal with this whole problem and it’s going to cost you orders of magnitude more than investing properly upfront so that’s really the business case for why this is so important

Leave a Comment

Your email address will not be published. Required fields are marked *