Security Instrumentation - The Future of Software Security

Explore the future of software security through this 55-minute LASCON conference talk on security instrumentation. Delve into the challenges of traditional security approaches and discover how instrumentation can revolutionize application protection. Learn about adding security capabilities to compiled applications without code changes, including intrusion detection, automatic SBOM reporting, dynamic software composition analysis, interactive security testing, and runtime protection. Gain insights from the inventor on how instrumentation works, its current applications in thousands of organizations, and its potential future impact. Examine topics such as the software security crisis, weak AppSec outcomes, dynamic binary instrumentation, Java instrumentation API, IAST and RASP technologies, securing application portfolios, enhancing DevSecOps pipelines, and harmonizing development and security efforts. Understand why building security into software development has fallen short and explore this powerful alternative for creating more secure and dynamic applications.

Intro
SOFTWARE SECURITY CRISIS
TOOL SOUP
COST TO ASSESS ONE APPLICATION
RIDICULOUSLY WEAK APPSEC OUTCOMES
PUSHING SECURITY THROUGH DEVELOPMENT DOESN'T WORK
HOW CAN WE GET "SECURITY AS CODE" DEPLOYED?
TYPICAL PENETRATION TESTING
TESTING WITH AN AGENT ON THE INSIDE!
MY FIRST SECURITY INSTRUMENTATION
DYNAMIC BINARY INSTRUMENTATION!
JAVA INSTRUMENTATION API
SECURITY INSTRUMENTATION TODAY
HOW IAST AND RASP WORK
SECURING AN ENTIRE APPLICATION PORTFOLIO IN PARALLEL
A DEVSECOPS-ENHANCED PIPELINE
CONTEXT YIELDS BETTER COVERAGE AND ACCURACY
WHAT'S NEXT FOR SECURITY INSTRUMENTATION?
HARMONIZING DEVELOPMENT AND SECURITY
CONTRAST COMMUNITY EDITION